A recent campaign has been observed targeting devices running SimpleHelp RMM software, exploiting newly disclosed vulnerabilities. Arctic Wolf recommends upgrading SimpleHelp server software and uninstalling unused clients to mitigate risks. The threat actors could potentially gain administrative access, facilitating broader intrusions. Affected: SimpleHelp RMM software, organizations using SimpleHelp
Keypoints :
- Campaign observed involving unauthorized access via SimpleHelp RMM software.
- Several vulnerabilities disclosed in SimpleHelp (CVE-2024-57726, CVE-2024-57727, CVE-2024-57728) prior to the campaign.
- Vulnerabilities could allow file downloads/uploads and privilege escalations on affected servers.
- Threat actors could use these vulnerabilities to compromise devices using SimpleHelp client software.
- Arctic Wolf recommends upgrading to the latest fixed versions of SimpleHelp and uninstalling unused client software.
- Managed Detection and Response detections are in place for activities observed in the campaign.
- Historically, RMM tools like SimpleHelp have been targeted for initial access by various threat actors.
- Compromise of a SimpleHelp server could affect multiple supported organizations.
- Known actors include affiliates of LockBit, REvil, Royal, Hive, and MuddyWater.
MITRE Techniques :
- T1078: Valid Accounts – Utilized cmd.exe to enumerate accounts and domain information.
- T1046: Network Service Scanning – Communicated with unapproved SimpleHelp server instance.
Indicator of Compromise :
- [CVE] CVE-2024-57726
- [CVE] CVE-2024-57727
- [CVE] CVE-2024-57728
- [Product] SimpleHelp Server Version: 5.5.x
- [Product] SimpleHelp Server Fixed Version: 5.5.8