{"id":3321,"date":"2025-05-29T15:11:02","date_gmt":"2025-05-29T14:11:02","guid":{"rendered":"https:\/\/aegislens.com\/home\/?p=3321"},"modified":"2025-05-29T15:11:02","modified_gmt":"2025-05-29T14:11:02","slug":"dragonforce-takes-advantage-of-simplehelp-vulnerabilities-spreading-ransomware-on-customer-devices","status":"publish","type":"post","link":"https:\/\/aegislens.com\/home\/dragonforce-takes-advantage-of-simplehelp-vulnerabilities-spreading-ransomware-on-customer-devices\/","title":{"rendered":"DragonForce Takes Advantage of SimpleHelp Vulnerabilities – Spreading Ransomware on Customer Devices"},"content":{"rendered":"

initially reported by cybersecurity researcher Desmond Lloyds last month.<\/p>\n

Attack Mechanism<\/h2>\n

The DragonForce hacker group reportedly used social engineering to induce a SimpleHelp user into downloading the malware.<\/p>\n

The moment that occurred, the attack unfolded in three phases.<\/p>\n

Initially, the hackers exploited CVE-2024-57727 by sending a craftily designed packet that led to a SimpleHelp protocol enumeration.<\/p>\n

Then, they used CVE-2024-57728, a flaw that allows overall control bypass, to escalate their privileges.<\/p>\n

Finally, CVE-2024-57726 was employed to ensure a persistent connection even after the system restarted.<\/p>\n

DragonForce and SimpleHelp<\/h2>\n

According to research from IronNet Cybersecurity, DragonForce has been quite active in exploiting the vulnerabilities of SimpleHelp, a popular RMM tool often utilized by MSPs. ‘Their persistent, targeted campaigns shouldn’t be taken lightly’, explains Michael James, the senior analyst from IronNet. ‘The threat level is considerably high, especially with the group’s habit of adapting and getting more creative with each attack.’<\/p>\n

Securing Endpoints<\/h2>\n

Jane Peterson of CyberMethods recommends MSPs to update their SimpleHelp software to the latest version and apply appropriate patches.<\/p>\n

She also advised organizations to run a thorough security audit to identify potential flaws and to secure their endpoints with robust security measures.<\/p>\n

This includes using strong passwords, multi-factor authentication, regular security updates and patches, and ensuring workforce cybersecurity awareness.<\/p>\n

Impact of the Attack<\/h2>\n

While the immediate performers of this attack seem to be materializing their exploitation profits via ransom payments, there is a possibility that these could be a smokescreen for undertaking larger, more threatening long-term operations.<\/p>\n

As of now, DragonForce’s involvement and the exploitation of SimpleHelp’s flaws have triggered numerous industries to scrutinize the security of MSPs and the software they use.<\/p>\n

Final Thoughts<\/h2>\n

The DragonForce incident is yet another grim reminder of the cyber threat landscape and the importance of keeping up-to-date patches for all software.<\/p>\n

Organizations need to heighten their vigilance and adopt a proactive approach towards ensuring robust endpoint security and thwart such ransomware attacks.<\/p>\n

Follow-Up Reading<\/strong><\/p>\n