SimpleHelp RMM Vulnerabilities Exploited to Deploy Sliver Malware

February 6, 2025

Cybercriminals are exploiting vulnerabilities in SimpleHelp RMM clients to create admin accounts, drop backdoors, and potentially prepare for ransomware attacks. The flaws, known as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were initially reported by Arctic Wolf. However, the firm could not definitively confirm the exploitation of these flaws.

Field Effect, a cybersecurity firm, confirmed that these vulnerabilities are indeed being exploited in recent attacks. The firm also released a report detailing the post-exploitation activities. According to the report, the observed activities bear the hallmarks of Akira ransomware attacks, but there's insufficient evidence for a high-confidence attribution.

The attack begins with the threat actors exploiting the SimpleHelp RMM client vulnerabilities to establish an unauthorized connection to a target endpoint. The attackers connect from an Estonian-based server running a SimpleHelp instance on port 80. Upon connection, the attackers execute a series of discovery commands to gather information about the target environment, including system and network details, users and privileges, scheduled tasks and services, and domain controller information. A command that searched for the CrowdStrike Falcon security suite was also observed, likely an attempt to bypass it.

Using their access and gathered information, the attackers create a new admin account named 'sqladmin' to maintain access to the environment. This is followed by the installation of the Sliver post-exploitation framework (agent.exe). Sliver is a post-exploitation framework developed by BishopFox that has gained popularity over the last few years as an alternative to Cobalt Strike, which is increasingly detected by endpoint protection. Once deployed, Sliver connects back to a command and control server to open a reverse shell or wait for commands to execute on the infected host. The Sliver beacon observed in the attack was configured to connect to a command and control server in the Netherlands.

A backup IP with Remote Desktop Protocol (RDP) enabled was also identified by Field Effect. With persistence established, the attackers compromise the Domain Controller using the same SimpleHelp RMM client and create another admin account ('fpmhlttech'). Instead of a backdoor, the attackers install a Cloudflare Tunnel disguised as Windows svchost.exe to maintain stealthy access and bypass security controls and firewalls.

SimpleHelp users are advised to apply the security updates that address CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 as soon as possible. They should also look for administrator accounts named 'sqladmin' and 'fpmhlttech,' or any others they don't recognize, and look for connections to the IPs listed in Field Effect's report. Users should restrict SimpleHelp access to trusted IP ranges to prevent unauthorized access.

Related News

• Hackers Exploit SimpleHelp RMM Software Vulnerabilities to Infiltrate Networks

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Vulnerabilities in Cisco's Identity Services Engine: A Detailed Analysis
• CISA Mandates Federal Agencies to Address Linux Kernel Vulnerability
• CISA Highlights Exploited Flaws in Microsoft .NET and Apache OFBiz
• Zyxel Refuses to Patch Actively Exploited Flaws in Discontinued Routers