Cybersecurity researchers at Sophos have revealed details of a sophisticated attack where threat actors exploited vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to deploy DragonForce ransomware across multiple organizations through a managed service provider (MSP).
The attack represents a significant supply chain compromise, where hackers gained access to an MSP’s SimpleHelp RMM platform and used it as a launching pad to target the provider’s downstream customers.
Sophos MDR investigators believe the attackers exploited a chain of three critical vulnerabilities disclosed in January 2025: CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability).
“The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections,” according to the Sophos investigation.
DragonForce ransomware has rapidly evolved since its emergence in mid-2023, transforming from a traditional ransomware-as-a-service (RaaS) operation into what the group calls a “cartel” model.
This new approach allows affiliates to create their own brands while leveraging DragonForce‘s infrastructure and tools, making it more attractive to a broader range of cybercriminals.
The group gained significant notoriety in recent months for claiming responsibility for attacks against major UK retailers, including Marks & Spencer, Co-op, and Harrods.
Security researchers believe these high-profile attacks involved collaboration with Scattered Spider, a sophisticated threat group formerly associated with RansomHub ransomware operations.
In the MSP incident, Sophos MDR was first alerted when suspicious SimpleHelp installer files were detected being pushed through the legitimate RMM platform.
The attackers conducted extensive reconnaissance, gathering detailed information about the MSP’s customer environments before deploying their ransomware payload.
One customer protected by Sophos XDR endpoint protection successfully blocked the ransomware deployment, demonstrating the effectiveness of advanced endpoint detection and response capabilities.
However, other MSP clients without adequate protection fell victim to both data encryption and exfiltration in a double-extortion scheme designed to maximize pressure on victims to pay ransoms.
The SimpleHelp vulnerabilities exploited in this attack are particularly dangerous because they can be chained together for complete system compromise.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog, acknowledging active exploitation and requiring federal agencies to patch by March 6, 2025.
MSPs represent attractive targets for ransomware operators because compromising a single provider can provide access to dozens or hundreds of customer networks.
Organizations using SimpleHelp are strongly advised to upgrade to version 5.5.8 or apply available patches, change administrator passwords, and implement IP address restrictions for remote access.
Security experts emphasize the importance of robust endpoint protection and managed detection and response services, particularly for MSPs whose compromise can have cascading effects across multiple organizations.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
The post Hackers Exploit SimpleHelp RMM Tool to Deploy DragonForce Ransomware appeared first on Cyber Security News.
Warning! Spoilers for The Boys Season 5 Episode 4 follow:A quick recap before we get…
Good news if you loved the Valentine's-themed horror Heart Eyes, a sequel to Josh Ruben’s…
Today, April 22, is Earth Day. It's an important day to take a moment to…
Warner Bros. has released the first trailer for director James Watkins' Clayface, giving fans their…
You don't want to skimp on something as important as emergency power, and Anker is…
More big corporate shakeups are happening inside Microsoft. Kiki Wolfkill, art director, producer, and veteran…
This website uses cookies.