Management (RMM) clients to gain administrative control, install backdoors, and possibly set the stage for ransomware deployment.
The vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were initially flagged by Arctic Wolf as potential attack vectors last week. While the firm could not verify active exploitation, cybersecurity company Field Effect has now confirmed their abuse in ongoing cyberattacks.
Field Effect shared its findings with BleepingComputer, highlighting that the attack patterns bear similarities to Akira ransomware activity. However, researchers lack definitive evidence to attribute these attacks with high confidence.
The breach begins when attackers exploit SimpleHelp RMM vulnerabilities to gain unauthorized access to a target system. The initial connection originates from IP address 194.76.227[.]171, linked to an Estonian server running a SimpleHelp instance on port 80.
Once inside, the attackers execute reconnaissance commands to gather information on system architecture, user privileges, network configurations, scheduled tasks, services, and Domain Controller (DC) details. Researchers also observed a specific command attempting to identify the CrowdStrike Falcon security suite, likely as part of an evasion strategy.
Leveraging this access, the hackers create a new administrator account ("sqladmin") to maintain persistence. They then deploy Sliver, a post-exploitation framework (agent.exe) increasingly used as an alternative to Cobalt Strike, which security tools now frequently detect.
Once executed, Sliver connects to a command-and-control (C2) server in the Netherlands, allowing remote command execution. Field Effect also discovered a backup IP with Remote Desktop Protocol (RDP) enabled, indicating additional persistence measures.
After securing initial access, the attackers escalate their attack by compromising the Domain Controller (DC) via the same SimpleHelp RMM client. They create another admin account ("fpmhlttech") and, instead of deploying a conventional backdoor, install a Cloudflare Tunnel disguised as Windows svchost.exe to bypass security defenses and maintain stealthy access.
To safeguard against these threats, SimpleHelp users must immediately apply security updates addressing CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. Users should also:
- Audit admin accounts: Look for unauthorized accounts like "sqladmin" and "fpmhlttech".
- Monitor network connections: Check for any connections to suspicious IPs flagged in Field Effect’s report.
- Restrict RMM access: Limit SimpleHelp usage to trusted IP ranges to prevent unauthorized logins.
By following these security measures, organizations can mitigate risks associated with SimpleHelp RMM vulnerabilities and prevent potential ransomware attacks.