Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

📟 News

Date: 30/01/2025

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks.

A number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) enabled attackers to upload and download files and escalate privileges to the admin level. The problem was recently discovered by Horizon3, which prompted SimpleHelp to release patches and fixed versions 5.5.8, 5.4.10, and 5.3.9.

But according to Arctic Wolf, attackers have already begun exploiting new bugs. A malicious campaign targeting SimpleHelp servers was launched a week after the publication of the Horizon3 security bulletin.

“While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible.”

Arctic Wolf analysts found out that the SimpleHelp Remote Access.exe process was running in the background on affected devices prior to the attack for a previous support session from a third-party vendor.

The first sign of compromise were communications between the SimpleHelp client on the target device and a third-party SimpleHelp server. Apparently, the attackers used vulnerabilities in SimpleHelp to gain control over the client or used stolen credentials.

After gaining access to the organization, the attackers used such tools as net and nltest to collect information on its accounts, groups, shares, and domain controllers, and also to test connectivity to Active Directory.

According to experts, these are the standard steps preceding privilege escalation and lateral movement. However, the malicious session was terminated before it was possible to figure out further plans of the attackers.

According to The Shadowserver Foundation, some 580 vulnerable SimpleHelp instances are currently available online; most of them (345) are located in the United States.

Related posts:
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →