Threat actors exploit popular MSPs’ remote monitoring tool to deploy malware

According to Sophos’ Managed Detection and Response (MDR) team, attackers compromised the MSP’s instance of SimpleHelp, a remote monitoring and management (RMM) tool, and used it as a foothold to push ransomware and harvest data from multiple client networks. The incident marks a significant escalation in the abuse of RMM platforms, which MSPs widely use to provide IT support and system management at scale.

The attackers reportedly used their unauthorized access to install a malicious SimpleHelp installer on target systems, gather intelligence on connected environments, and ultimately deploy DragonForce ransomware. Affected victims faced double extortion where the miscreants stole sensitive data and encrypted files to increase ransom pressure.

Exploited vulnerabilities

Sophos has medium confidence that the threat actor exploited a chain of known vulnerabilities disclosed earlier this year, including:

• CVE-2024-57726: Privilege escalation

• CVE-2024-57727: Path traversal vulnerabilities

• CVE-2024-57728: Arbitrary file upload

These vulnerabilities may have enabled the attacker to gain administrative access to the MSP’s SimpleHelp deployment and escalate privileges across customer environments.

DragonForce’s expanding reach

The ransomware strain used in the attack, DragonForce, is a fast-rising name in the ransomware-as-a-service (RaaS) ecosystem. First observed in mid-2023, DragonForce has since evolved into a distributed affiliate model and recently claimed to have absorbed the infrastructure of rival RaaS group RansomHub.

The group has been linked to recent high-profile attacks targeting large retail chains in the US and UK. Moreover, affiliates tied to Scattered Spider (UNC3944), a known threat actor with a reputation for social engineering and lateral movement, have reportedly adopted DragonForce in recent campaigns.

Sophos saves the day

Sophos said the attack was detected when one of the MSP’s clients, who was enrolled in Sophos MDR and had Sophos XDR endpoint protection, triggered alerts related to a suspicious SimpleHelp installation. Automated defenses and human-led threat response efforts successfully blocked the ransomware deployment and cut off attacker access before data was exfiltrated.

However, other clients without Sophos protections in place were not as fortunate, suffering ransomware infections and data theft. The MSP has since engaged Sophos Rapid Response for digital forensics and incident remediation across its environment.

Ongoing risks

The incident underscores the growing threat of RMM tool exploitation, especially when used by MSPs with wide access to customer systems. “Threat actors are increasingly targeting trusted IT infrastructure to bypass defenses and scale attacks quickly,” said a Sophos spokesperson.

Organizations relying on MSPs are urged to validate third-party security practices, ensure RMM platforms are fully patched, and deploy behavioral detection and endpoint response solutions capable of intercepting novel ransomware activity.