Security researchers have discovered threat actors actively exploiting recently disclosed vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software, potentially leading to ransomware attacks. Field Effect identified these exploitation attempts targeting three critical vulnerabilities: CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728.

Key Findings:
– Vulnerabilities allow information disclosure, privilege escalation, and remote code execution
– Patches available in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8
– Attack originated from an Estonian IP address (194.76.227.171)

Attack Methodology:
1. Initial access through vulnerable SimpleHelp RMM
2. Creation of “sqladmin” administrator account
3. Deployment of Sliver framework for persistence
4. Lateral movement across network
5. Attempted installation of Cloudflare tunnel for stealth operations

The attack pattern shows similarities to previous Akira ransomware campaigns from May 2023. Field Effect successfully detected and prevented the attack before ransomware deployment.

Additionally, researchers noted an increase in threat actors using ScreenConnect RMM software on bulletproof hosts for unauthorized access to victim systems.

Organizations are urged to:
– Update SimpleHelp RMM clients immediately
– Implement robust cybersecurity solutions
– Monitor for unauthorized RMM software installations
– Be vigilant against social engineering attempts