DragonForce Operator Chained SimpleHelp Flaws to Target MSP and Its Customers
Sophos has warned that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider (MSP) and its customers. The incident highlights the importance of keeping remote support and access software up-to-date with the latest security patches.
SimpleHelp is a widely used remote support and access software designed for IT professionals and support teams. It enables technicians to remotely connect to and control computers for troubleshooting, maintenance, and support purposes. However, in this case, a DragonForce ransomware operator took advantage of three chained vulnerabilities in SimpleHelp to gain initial access to the MSP's servers.
The Chained Vulnerabilities
Sophos researchers reported that the DragonForce ransomware operator exploited three vulnerabilities in SimpleHelp, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. These vulnerabilities include:
- CVE-2024-57727: An unauthenticated path traversal issue allowing attackers to download arbitrary files from the server, including sensitive data like the serverconfig.xml file.
- CVE-2024-57728: Enables arbitrary file uploads, leading to remote code execution if attackers gain admin credentials. For Linux, this allows remote command execution via crontab uploads; for Windows, it enables executable overwrites.
- CVE-2024-57726: Allows privilege escalation, letting a low-privilege technician elevate to admin by exploiting missing backend authorization checks.
The third vulnerability, CVE-2024-57726, allows an attacker to escalate their access to an administrative level on vulnerable servers. This granted access to customer machines and made the server vulnerable to further exploits.
The Attack Campaign
According to Sophos, the attackers allegedly exploited the above vulnerabilities and began a week after their public disclosure. The attack campaign involved unauthorized access to devices running SimpleHelp RMM software as an initial access vector.
Arctic Wolf researchers reported a campaign targeting SimpleHelp servers, which allegedly exploited the chained vulnerabilities and began a week after their public disclosure. Attackers could download files, upload files with admin privileges, and escalate their access to an administrative level on vulnerable servers.
The Impact
Sophos uncovered that an attacker used a legitimate SimpleHelp remote management tool run by an MSP to push a suspicious installer and access client networks. The attacker gathered system info, user data, and network details across several customers.
Thanks to Sophos MDR and XDR protections, one client was able to block the ransomware and data theft attempt. However, other clients without those defenses weren't as lucky and were impacted. The MSP has since brought in Sophos Rapid Response to investigate and help contain the incident.
The DragonForce Ransomware Group
The DragonForce ransomware group recently made the headlines after claiming attacks on UK retailers like Marks & Spencer, Co-op, and Harrods. The group is known for scrambling victims' data and demanding a ransom; they are also known to steal victims' data.
DragonForce runs a cybercrime affiliate service, letting affiliates use its tools to launch attacks and extort victims. The group manages both Telegram and Discord channels, cybersecurity experts believe it is composed of English-speaking teenagers.
Conclusion
This incident highlights the importance of keeping remote support and access software up-to-date with the latest security patches. It also emphasizes the need for MSPs to implement robust security measures to protect their customers' data.
Sophos has published indicators of compromise for this threat on their GitHub. Cybersecurity experts recommend that organizations keep an eye on the situation and take necessary precautions to prevent similar attacks in the future.