On January 22, 2025, Arctic Wolf observed a campaign exploiting vulnerabilities in SimpleHelp RMM software for unauthorized access. Several serious vulnerabilities had been disclosed just prior, potentially allowing attackers to leverage administrative privileges. While it’s uncertain if these vulnerabilities are responsible, Arctic Wolf urges users to upgrade their software to mitigate risks. Additionally, the prevalence of RMM tools makes them attractive targets for ransomware actors. Affected: SimpleHelp software, organizations using SimpleHelp
Keypoints :
- Campaign involved unauthorized access to devices via SimpleHelp RMM software.
- Critical vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) were disclosed prior to the campaign.
- Threat actors could exploit vulnerabilities to download/upload arbitrary files and escalate privileges.
- Arctic Wolf recommends upgrading to fixed versions of SimpleHelp server software.
- Uninstalling unused SimpleHelp client software is advised to minimize attack surface.
- Previous targets of ransomware actors include vulnerabilities in RMM tools, making them appealing targets.
- Compromise of a SimpleHelp server can result in intrusions across multiple organizations.
- Successful threat activity involved enumeration of accounts and domains.
MITRE Techniques :
- Initial Access (TA0001): Exploitation of software vulnerabilities (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728) in SimpleHelp.
- Credential Access (TA0006): Privilege escalation to gain administrative access to SimpleHelp servers.
- Discovery (TA0007): Enumeration of accounts and domain information through cmd.exe process during SimpleHelp session.
Indicator of Compromise :
- [CVE] CVE-2024-57726
- [CVE] CVE-2024-57727
- [CVE] CVE-2024-57728
- [CVE] CVE-2024-1708
- [CVE] CVE-2024-1709