A managed service provider (MSP) and its clients have been infected with the DragonForce ransomware after attackers exploited a vulnerable instance of SimpleHelp, a remote
monitoring and management (RMM) tool, according to a warning from anti-malware company Sophos.
Sophos believes the attackers gained initial access by chaining three security vulnerabilities in the SimpleHelp software.
These vulnerabilities, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, allow attackers to retrieve logs, configuration files, and credentials. They can also log in with elevated privileges to upload malicious files, execute code, and eventually escalate their access to full administrator level, completely compromising the targeted systems.
SimpleHelp released patches for the three flaws in mid-January. However, within two weeks, threat actors began exploiting unpatched internet-facing instances of the software by combining these vulnerabilities.
According to Sophos, the threat actors likely used the chained flaws to compromise the MSP’s SimpleHelp setup, which the provider was using to support its customers.
Once inside, the attackers used the RMM platform to gather information about the MSP’s clients. They collected data such as device names, configurations, user information, and network connections.
The threat actor also exfiltrated sensitive data and eventually deployed DragonForce ransomware. The attack impacted both the MSP and the clients it served.
DragonForce has attracted considerable attention in recent weeks, following claims of attacks on major UK retailers including Marks & Spencer, Co-op, and Harrods. Google has also issued a warning that the group has shifted its focus to retailers in the United States.
Operating since mid-2023, DragonForce functions as a ransomware-as-a-service (RaaS) group and has taken over the infrastructure formerly used by RansomHub. A threat actor known as Scattered Spider, also referred to as UNC3944, previously affiliated with RansomHub, has reportedly been using DragonForce in recent attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
