Ransomware gangs exploiting unpatched SimpleHelp remote software, CISA warns


The US Cybersecurity and Infrastructure Security Agency (CISA) has a new warning for users of SimpleHelp remote management software – patch now.

CISA released a new advisory on Thursday, warning companies of an uptick in ransomware attacks on companies that use the product and have not installed the most recent updates.

The agency said it has observed numerous cases where ransomware gangs have successfully exploited a known vulnerability in the SimpleHelp Remote Monitoring and Management (RMM), specifically citing the compromise of an unnamed utility billing software provider.

ADVERTISEMENT

“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025,” CISA noted.

Several vulnerabilities have been identified in SimpleHelp remote support software versions 5.5.7 and earlier, the CISA advisory said.

One of the known vulnerabilities leveraged by ransomware actors is CVE-2024-57727 – a path traversal vulnerability that, according to the database, allows unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests.

“These files include server configuration files containing various secrets and hashed user passwords,” the CVE record states.

The other two vulnerabilities cataloged by MITRE ATTACK in January include both an arbitrary file upload vulnerability (CVE-2024-57728) and a privilege escalation vulnerability (CVE-2024-57726).

SimpleHelp website screenshot
Simple-help.com. Image by Cybernews.
ADVERTISEMENT

Last month, Sophos researchers singled out the DragonForce ransomware group as having exploited the chain of vulnerabilities to successfully breach multiple organizations.

Once inside the target’s systems, DragonForce was observed deploying its ransomware variant across multiple endpoints, enabling the group to exfiltrate sensitive data from its victims.

DragonForce – which has been tied to recent ransomware attacks on British retailers Marks & Spencer and Co-op was said by Sophos to have “leveraged double extortion tactics to pressure victims into paying the ransom.”

The M&S attackers are believed to have gained access to the retailer's systems through a third-party consulting company, although there has been no mention of the third-party compromise being related to the SimpleHelp software vulnerabilities. However, the investigation is still ongoing.

Gintaras Radauskas jurgita Paulina Okunyte Marcus Walsh profile
Don’t miss our latest stories on Google News

Based in Edinburgh, Scotland, the privately owned company is installed and actively used on thousands of servers, allowing access to hundreds of thousands of machines via those SimpleHelp servers, the SimpleHelp website states.

CISA said unpatched versions of SimpleHelp RRM could be running directly or embedded in third-party software.

SimpleHelp has published a ‘Security Vulnerabilities’ guide on its website detailing the impacts of compromise and steps customers should take to patch the software.

ADVERTISEMENT