Ransomware actors are exploiting vulnerabilities in SimpleHelp RMM versions 5.5.7 and earlier, allowing unauthorized file access and potential ransomware deployment. Several threat actors such as DragonForce, Medusa, Royal, and Hive have been linked to these exploits, with AttackIQ providing emulations to help organizations test their defenses. #SimpleHelp #DragonForceRansomware #MedusaRansomware #AttackIQ
Keypoints
- Multiple path traversal vulnerabilities (CVE-2024-57727) in SimpleHelp RMM software allow remote unauthenticated attackers to download arbitrary files, including hashed password configuration files.
- Exploit of SimpleHelp enables attackers to access downstream customer environments, exfiltrate data, and deploy ransomware.
- Adversaries have increasingly used RMM tools such as SimpleHelp, ConnectWise, and Kaseya VSA for initial access and disguising malicious activities.
- Notable ransomware groups like DragonForce, Medusa, Royal, and Hive have leveraged these vulnerabilities and RMM tools in their cyberattacks.
- AttackIQ provides atomic tests and attack graphs that emulate behaviors of ransomware actors targeting RMM vulnerabilities to facilitate threat exposure validation.
- Threat actors use reconnaissance commands such as nltest and net.exe on compromised SimpleHelp servers to enumerate domain controllers and user information.
- CISA recommends patching vulnerable software and following its detection and mitigation guidance to defend against these attacks effectively.
MITRE Techniques
- [T1071] Application Layer Protocol – Used RMM tool communication to conduct remote access and deploy ransomware. (‘…leveraging RMM toolsets for initial access and disguising malicious software…’)
- [T1083] File and Directory Discovery – Attackers downloaded arbitrary files, including configuration and password hashes, via path traversal vulnerabilities. (‘…could be leveraged by remote unauthenticated attackers to download arbitrary files from the SimpleHelp server…’)
- [T1018] Remote System Discovery – Threat actors used nltest and net commands to enumerate domain controllers and user accounts. (‘…observed using nltest and net commands to enumerate user and domain information.’)
- [T1046] Network Service Scanning – Reconnaissance activity to map network infrastructure through commands run on compromised RMM servers. (‘…reconnaissance related activity performed by threat actors who were able to successfully use a SimpleHelp server…’)
Indicators of Compromise
- [CVE] Vulnerabilities – CVE-2024-57727 (SimpleHelp path traversal), CVE-2024-1708 and CVE-2024-1709 (ConnectWise), CVE-2021-30116 (Kaseya VSA) referenced as exploitation targets.
- [File Hashes] Ransomware samples – DragonForce and Medusa ransomware hashes referenced in AttackIQ emulations (specific hashes withheld, references available in security bulletins).
- [Commands] Reconnaissance tools – Usage of nltest and net.exe commands on compromised systems for domain enumeration.
Read more: https://www.attackiq.com/2025/06/16/response-to-cisa-advisory-aa25-163a/