Hackers Exploit SimpleHelp RMM Software Vulnerabilities to Infiltrate Networks

January 28, 2025

It is suspected that hackers are exploiting vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) software to gain initial access to target networks. These vulnerabilities, labelled as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow the threat actors to download and upload files on devices and escalate privileges to administrative levels. Horizon3 researchers discovered these flaws and made them public two weeks ago. SimpleHelp responded to these vulnerabilities by releasing fixes in product versions 5.5.8, 5.4.10, and 5.3.9 between January 8 and 13.

Arctic Wolf, a cybersecurity firm, has reported an ongoing campaign targeting SimpleHelp servers. This campaign began approximately a week after Horizon3 disclosed the vulnerabilities. While Arctic Wolf cannot confirm with absolute certainty that the attacks are leveraging these vulnerabilities, it has connected its observations to Horizon3's report with medium confidence. Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible. In cases where the SimpleHelp client was installed on devices for third-party support sessions but is not actively being used, Arctic Wolf recommends uninstalling the software to minimize the potential attack surface.

The Shadowserver Foundation, a threat monitoring platform, reported that they have identified 580 instances vulnerable to these exploits online, with the majority (345) located within the United States. Arctic Wolf has observed that the SimpleHelp 'Remote Access.exe' process was already running in the background before the attack, implying that SimpleHelp was previously installed for remote support sessions on the devices. The first indication of compromise was the SimpleHelp client on the target device communicating with an unauthorized SimpleHelp server. This could have been achieved by either the attacker exploiting flaws in SimpleHelp to gain control of the client or by using stolen credentials to hijack the connection.

Once the attackers gained access, they ran cmd.exe commands such as 'net' and 'nltest' to gather information about the system, including a list of user accounts, groups, shared resources, domain controllers, and to test Active Directory's connectivity. These are typical steps taken before performing privilege escalation and lateral movement. However, Arctic Wolf reports that the malicious session was terminated before they could ascertain the threat actor's next move.

SimpleHelp users are advised to upgrade to the latest version that addresses the CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 flaws. More details on how to apply the security updates and verify the patch are available in SimpleHelp's bulletin. If SimpleHelp clients were installed in the past for remote support sessions but are no longer required, it is recommended that they be removed from the systems to reduce the attack surface.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Fortinet Patches Zero-Day Vulnerability Allowing Super-Admin Access
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year