Ransomware gangs have been exploiting a vulnerability in remote device control software SimpleHelp during a recent string of attacks, according to federal cybersecurity officials. The Cybersecurity and Infrastructure Security Agency (CISA) warned that CVE-2024-57727, a vulnerability affecting SimpleHelp’s widely-used remote access tools was exploited to “compromise customers of a utility billing software provider.” CISA declined to explain the timing of the advisory or what attacks it was referring to.[1]
SimpleHelp is remote software that lets users access and control computers from anywhere and is typically deployed by IT personnel to fix issues or monitor the functions of a device. “This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp…since January 2025,” CISA said.
Ransomware gangs “likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp remote monitoring and management [tool] for disruption of services in double extortion compromises.”
CVE-2024-57727 was added to CISA’s catalog of exploited vulnerabilities in February and the agency renewed its call for software vendors, downstream customers and end users to fix the bug as soon as possible.
The CISA advisory links to a 27 May report from cybersecurity firm Sophos that tied the SimpleHelp exploitation campaign to the use of DragonForce ransomware against retail companies. The report says DragonForce is being used by multiple hacking groups, including well known operations like Scattered Spider, in recent “attacks targeting multiple large retail chains in the UK and the US.”
See: https://redskyalliance.org/xindustry/scattered-spider-s-devious-web
CISA and the FBI also noted recently that the Play ransomware has been used in conjunction with the exploitation of CVE-2024-57727.
Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to use the same bug to exploit SimpleHelp, which is deployed by many of the gang’s US-based victims. The exploitation of issues in remote management tools like SimpleHelp continue to cause concern among defenders.
Vulnerabilities in popular tools produced by ConnectWise and Kaseya have been the source of multiple ransomware and nation-state incidents over the last five years.
A CISA report warned that hackers are exploiting a vulnerability in ConnectWise days after the company said it is investigating a nation-state attack on its systems that impacted some of its customers that use ScreenConnect remote management software.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://therecord.media/cisa-warns-of-simplehelp-ransomware-compromises/
Comments