The DragonForce ransomware gang has struck again. This time, they targeted a managed service provider (MSP) and its customers. The attackers exploited security flaws in the remote monitoring and management (RMM) tool SimpleHelp.
They used this access to deploy the DragonForce ransomware across multiple endpoints. Sophos security researchers investigated the attack. They did not name the affected MSP or how many customers were impacted.
DragonForce is a relatively new ransomware-as-a-service gang. It gained notoriety in April for attacks in the UK and US. The group allows other cybercriminals to use its infrastructure and tools to deploy various types of ransomware.
MSPs are attractive targets for cybercriminals. A single compromised MSP can provide access to all its customers’ networks. The exploitation of SimpleHelp’s software was particularly damaging because it is used by thousands of customers.
This allowed attackers to push malware to multiple IT environments as if it were a legitimate software update. Sophos spotted the DragonForce infection after detecting a suspicious installation of a SimpleHelp installer file.
DragonForce uses SimpleHelp vulnerabilities
It was pushed through a legitimate SimpleHelp RMM instance. The attackers used this access to gather information on multiple customer estates managed by the MSP. They collected device names, user configurations, and network connections.
Jon Miller, CEO of anti-ransomware outfit Halcyon, commented on the severity of the attack. He stated, “Supply chain attacks are already a nightmare — one vendor gets popped, and suddenly hundreds of downstream businesses are scrambling. But when the target is an MSP, and the weapon is their own RMM software?
That’s a whole new level of chaos.”
Sophos believes the DragonForce affiliate exploited a chain of vulnerabilities in SimpleHelp. These included multiple path traversal issues (CVE-2024-57727), an arbitrary file upload vulnerability (CVE-2024-57728), and a privilege escalation vulnerability (CVE-2024-57726). These flaws allowed attackers to fully hijack a SimpleHelp server.
Both organizations had warned earlier in the year that attackers were actively exploiting these vulnerabilities. Sophos has released a full list of indicators of compromise related to this investigation. They recommend that organizations check these out and ensure their systems are updated and secure.
Other incidents involving DragonForce and similar ransomware groups have caused significant disruptions. This highlights the growing threat of ransomware attacks on critical infrastructure and service providers.
Kirstie a technology news reporter at DevX. She reports on emerging technologies and startups waiting to skyrocket.
