![[The AI Show Episode 150]: AI Answers: AI Roadmaps, Which Tools to Use, Making the Case for AI, Training, and Building GPTs](https://www.marketingaiinstitute.com/hubfs/ep%20150%20cover.png)
![[The AI Show Episode 149]: Google I/O, Claude 4, White Collar Jobs Automated in 5 Years, Jony Ive Joins OpenAI, and AI’s Impact on the Environment](https://www.marketingaiinstitute.com/hubfs/ep%20149%20cover.png)
![[DEALS] Mail Backup X Individual Edition: Lifetime Subscription (72% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Luis_Moreira_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_imageBROKER.com_via_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![This app turns your Apple Watch into a Game Boy [Hands-on]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/FI-Arc-emulator.jpg.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Google TV is finally preparing sleep timer support as app readies Material 3 Expressive [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/01/google-tv-logo.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=logo}
![Apple Shares Official Trailer for 'Smoke' Starring Taron Egerton [Video]](https://www.iclarified.com/images/news/97453/97453/97453-640.jpg)
![Apple's M4 Mac Mini Drops to $488.63, New Lowest Price Ever [Deal]](https://www.iclarified.com/images/news/97456/97456/97456-1280.jpg)
![iPhone 16 Becomes World's Best-Selling Smartphone in Q1 2025 [Chart]](https://www.iclarified.com/images/news/97448/97448/97448-640.jpg)
Hackers Exploit SimpleHelp RMM Tool to Deploy DragonForce Ransomware
Cybercriminals leveraged critical vulnerabilities in remote monitoring software to breach a managed service provider and attack multiple customers. Cybersecurity researchers at Sophos have revealed details of a sophisticated attack where threat actors exploited vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to deploy DragonForce ransomware across multiple organizations through a managed service provider (MSP). […] The post Hackers Exploit SimpleHelp RMM Tool to Deploy DragonForce Ransomware appeared first on Cyber Security News.
Cybercriminals leveraged critical vulnerabilities in remote monitoring software to breach a managed service provider and attack multiple customers.
Cybersecurity researchers at Sophos have revealed details of a sophisticated attack where threat actors exploited vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to deploy DragonForce ransomware across multiple organizations through a managed service provider (MSP).
The attack represents a significant supply chain compromise, where hackers gained access to an MSP’s SimpleHelp RMM platform and used it as a launching pad to target the provider’s downstream customers.
Sophos MDR investigators believe the attackers exploited a chain of three critical vulnerabilities disclosed in January 2025: CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability).
“The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections,” according to the Sophos investigation.
DragonForce Emerges as Major Threat
DragonForce ransomware has rapidly evolved since its emergence in mid-2023, transforming from a traditional ransomware-as-a-service (RaaS) operation into what the group calls a “cartel” model.
This new approach allows affiliates to create their own brands while leveraging DragonForce‘s infrastructure and tools, making it more attractive to a broader range of cybercriminals.
The group gained significant notoriety in recent months for claiming responsibility for attacks against major UK retailers, including Marks & Spencer, Co-op, and Harrods.
Security researchers believe these high-profile attacks involved collaboration with Scattered Spider, a sophisticated threat group formerly associated with RansomHub ransomware operations.
In the MSP incident, Sophos MDR was first alerted when suspicious SimpleHelp installer files were detected being pushed through the legitimate RMM platform.
The attackers conducted extensive reconnaissance, gathering detailed information about the MSP’s customer environments before deploying their ransomware payload.
One customer protected by Sophos XDR endpoint protection successfully blocked the ransomware deployment, demonstrating the effectiveness of advanced endpoint detection and response capabilities.
However, other MSP clients without adequate protection fell victim to both data encryption and exfiltration in a double-extortion scheme designed to maximize pressure on victims to pay ransoms.
Vulnerabilities Enable Remote Compromise
The SimpleHelp vulnerabilities exploited in this attack are particularly dangerous because they can be chained together for complete system compromise.
- CVE-2024-57727 allows unauthenticated attackers to download arbitrary files from SimpleHelp hosts, including server configuration files containing secrets and hashed passwords.
- CVE-2024-57726 enables low-privilege technicians to escalate to administrator roles with excessive permissions.
- CVE-2024-57728 permits authenticated administrators to upload malicious files anywhere on the system, potentially leading to remote code execution.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog, acknowledging active exploitation and requiring federal agencies to patch by March 6, 2025.
MSPs represent attractive targets for ransomware operators because compromising a single provider can provide access to dozens or hundreds of customer networks.
Organizations using SimpleHelp are strongly advised to upgrade to version 5.5.8 or apply available patches, change administrator passwords, and implement IP address restrictions for remote access.
Security experts emphasize the importance of robust endpoint protection and managed detection and response services, particularly for MSPs whose compromise can have cascading effects across multiple organizations.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
The post Hackers Exploit SimpleHelp RMM Tool to Deploy DragonForce Ransomware appeared first on Cyber Security News.
