Threat actors are exploiting recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to gain access to target networks. The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to download and upload files and escalate privileges to administrative levels. SimpleHelp released fixes for the vulnerabilities between January 8 and 13 in product versions 5.5.8, 5.4.10, and 5.3.9. However, security firm Arctic Wolf has reported an ongoing campaign targeting SimpleHelp servers that started about a week after the flaws were publicly disclosed by researchers at Horizon3.
Arctic Wolf observed that the SimpleHelp ‘Remote Access.exe’ process was already running on targeted devices before the attack, indicating that SimpleHelp had been previously installed for remote support sessions. The first sign of compromise was the SimpleHelp client on the device communicating with an unapproved SimpleHelp server.
Hackers exploiting SimpleHelp vulnerabilities
The attackers then used `cmd.exe` commands like ‘net’ and ‘nltest’ to gather information about the system, including user accounts, groups, shared resources, and domain controllers. These are common steps taken before attempting privilege escalation and lateral movement within a network. The malicious session was cut off before the threat actor’s ultimate intentions could be determined.
Shadowserver Foundation reported that 580 vulnerable SimpleHelp instances are currently exposed online, with most (345) located in the United States. To mitigate risks, SimpleHelp users are advised to upgrade to the latest versions that address the CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 flaws. If SimpleHelp clients were installed in the past for remote support but are no longer needed, they should be uninstalled from systems to reduce potential attack surfaces.
