
A number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) enabled attackers to upload and download files and escalate privileges to the admin level. The problem was recently discovered by Horizon3, which prompted SimpleHelp to release patches and fixed versions 5.5.8, 5.4.10, and 5.3.9.
But according to Arctic Wolf, attackers have already begun exploiting new bugs. A malicious campaign targeting SimpleHelp servers was launched a week after the publication of the Horizon3 security bulletin.
“While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible.”
Arctic Wolf analysts found out that the SimpleHelp Remote Access.exe process was running in the background on affected devices prior to the attack for a previous support session from a third-party vendor.
The first sign of compromise were communications between the SimpleHelp client on the target device and a third-party SimpleHelp server. Apparently, the attackers used vulnerabilities in SimpleHelp to gain control over the client or used stolen credentials.
After gaining access to the organization, the attackers used such tools as net
and nltest
to collect information on its accounts, groups, shares, and domain controllers, and also to test connectivity to Active Directory.
According to experts, these are the standard steps preceding privilege escalation and lateral movement. However, the malicious session was terminated before it was possible to figure out further plans of the attackers.
According to The Shadowserver Foundation, some 580 vulnerable SimpleHelp instances are currently available online; most of them (345) are located in the United States.


2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →