HQ/EMEAFind out how we can help your business
Threat actors allegedly exploit the recently patched SimpleHelp flaws to acquire initial access to targeted networks.
According to reports, researchers track the vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) software as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. Researchers noted that these bugs could enable threat actors to download and upload data to devices and escalate privileges to admin levels.
In addition, these researchers uncovered and disclosed the vulnerabilities about two weeks ago. The disclosure has also prompted the affected entity to issue a fix, which they immediately released between January 8 and 13.
The updates that addressed the issue fixed product versions 5.5.8, 5.4.10, and 5.3.9. However, researchers reported that continuous attacks target SimpleHelp servers, which began around a week after the bug disclosure.
The exploit of the SimpleHelp flaws has been accessible to various threat actors.
Investigations revealed the flaws in the SimpleHelp ‘Remote Access.exe’ process were already running in the background before an observed attack. This detail indicates that the flawed software had already been installed for remote support sessions on the machines.
The first evidence of a compromise was the target device’s software client interacting with an unapproved SimpleHelp server.
This process is conceivable if the attacker exploits the vulnerability to take control of the client or uses stolen credentials to hijack the connection.
Once inside, the attackers used cmd.exe commands like ‘net’ and ‘nltest’ to collect information about the system, such as a list of user accounts, groups, shared resources, and domain controllers, as well as to test Active Directory connectivity.
These are typical procedures before completing privilege escalation and lateral movement. However, the researchers claim the malicious session was terminated before the threat actor could identify what to do next.
SimpleHelp users should employ the latest version to fix the issues. As of now, the vendor has already established a bulletin that contains more advice on how to install security updates and check the fix.
Lastly, suppose SimpleHelp clients have already installed the software in the past to accommodate remote assistance sessions, but it is no longer required. In that case, they should be removed from the systems to reduce the attack surface.
