A sophisticated ransomware campaign linked to the notorious DragonForce gang has breached a managed service provider (MSP), exploiting vulnerabilities in the SimpleHelp remote monitoring and management (RMM) platform to deploy ransomware and steal sensitive data from downstream customers.
According to a detailed investigation conducted by cybersecurity firm Sophos, the attackers leveraged a chain of now patched vulnerabilities in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) to infiltrate the MSP's infrastructure. Once inside, they used the RMM platform to conduct reconnaissance and subsequently launch attacks on connected client networks.
SimpleHelp, a popular commercial remote access tool, enables MSPs to remotely manage client systems and deploy updates.
After breaching the MSP, the attackers utilized SimpleHelp to gather intelligence across client environments, including device names, configurations, user accounts, and network topology. The threat actors then attempted to deploy data stealers and ransomware encryptors across several customer networks.
Sophos has published indicators of compromise (IOCs) to aid organizations in detecting and mitigating similar attacks.
The DragonForce ransomware operation made headlines after claiming to take over infrastructure belonging to the now-fractured RansomHub operation. The group has also been linked to high-profile retail breaches in both the UK and the US.
Recent campaigns show collaboration with notorious ransomware affiliate Scattered Spider (UNC3944), formerly associated with RansomHub. Joint operations between the two have targeted major retail chains, including Marks & Spencer and Co-op, resulting in significant data theft and operational disruption. Co-op confirmed a major breach of customer data following the attack.
