Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

A number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) enabled attackers to upload and download files and escalate privileges to the admin level. The problem was recently discovered by Horizon3, which prompted SimpleHelp to release patches and fixed versions 5.5.8, 5.4.10, and 5.3.9.

But according to Arctic Wolf, attackers have already begun exploiting new bugs. A malicious campaign targeting SimpleHelp servers was launched a week after the publication of the Horizon3 security bulletin.

“While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible.”

Arctic Wolf analysts found out that the SimpleHelp Remote Access.exe process was running in the background on affected devices prior to the attack for a previous support session from a third-party vendor.

The first sign of compromise were communications between the SimpleHelp client on the target device and a third-party SimpleHelp server. Apparently, the attackers used vulnerabilities in SimpleHelp to gain control over the client or used stolen credentials.

After gaining access to the organization, the attackers used such tools as net and nltest to collect information on its accounts, groups, shares, and domain controllers, and also to test connectivity to Active Directory.

According to experts, these are the standard steps preceding privilege escalation and lateral movement. However, the malicious session was terminated before it was possible to figure out further plans of the attackers.

According to The Shadowserver Foundation, some 580 vulnerable SimpleHelp instances are currently available online; most of them (345) are located in the United States.