DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Pierluigi Paganini
May 27, 2025

Sophos warns that a DragonForce ransomware operator chained three vulnerabilities in SimpleHelp to target a managed service provider.

Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider.

SimpleHelp is a remote support and access software designed for IT professionals and support teams. It enables technicians to remotely connect to and control computers for troubleshooting, maintenance, and support purposes.

Sophos states that DragonForce ransomware operators chained the three vulnerabilities, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, for initial access.

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. This includes sensitive data like the serverconfig.xml file, which contains hashed admin and technician passwords, LDAP credentials, and other secrets, all encrypted with a hardcoded key. The second bug, tracked as CVE-2024-57728 (CVSS score of 7.2), enables arbitrary file uploads, leading to remote code execution if attackers gain admin credentials. For Linux, this allows remote command execution via crontab uploads; for Windows, it enables executable overwrites. The third, CVE-2024-57726 (CVSS score of 7.2), allows privilege escalation, letting a low-privilege technician elevate to admin by exploiting missing backend authorization checks. This grants access to customer machines and makes the server vulnerable to further exploits.

On January 6, 2025: Horizon3 reported the issue to SimpleHelp, which released patch version 5.3.9 on Jan. 13, 2025.

At the end of January, researchers from security firm Arctic Wolf reported a campaign targeting SimpleHelp servers. According to the experts, the attacks allegedly exploited the above vulnerabilities and began a week after their public disclosure.

Attackers could download files, upload files with admin privileges, and escalate their access to an administrative level on vulnerable servers.

“On 22 January 2025, Arctic Wolf began observing a campaign involving unauthorised access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728).” reads the report published by Artic Wolf. “If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software.”

Sophos uncovered that an attacker used a legitimate SimpleHelp remote management tool run by a managed service provider (MSP) to push a suspicious installer and access client networks. The attacker gathered system info, user data, and network details across several customers.

Thanks to Sophos MDR and XDR protections, one client was able to block the ransomware and data theft attempt. However, other clients without those defenses weren’t as lucky and were impacted. The MSP has since brought in Sophos Rapid Response to investigate and help contain the incident.

“The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients.” reads the report published by Sophos. “The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.”

Sophos published indicators of compromise for this threat on their GitHub.

The DragonForce ransomware group recently made the headlines after claiming attacks on UK retailers like Marks & Spencer, Co-op, and Harrods.

DragonForce ransomware group scrambles victims’ data and demands a ransom; they are also known to steal victims’ data. DragonForce runs a cybercrime affiliate service, letting affiliates use its tools to launch attacks and extort victims. The group manages both Telegram and Discord channels, cybersecurity experts believe it is composed of English-speaking teenagers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)