US EditionDragonForce Used MSP's RMM Software to Distribute Ransomware
- In early 2024, the DragonForce ransomware group compromised a managed service provider by exploiting vulnerabilities in the SimpleHelp RMM platform, enabling them to exfiltrate sensitive information and install ransomware on the provider’s client systems.
- The attack took place after threat actors took advantage of three distinct security flaws in SimpleHelp—identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726—which had been patched in January but were reported to be actively exploited by February.
- Sophos investigation revealed the attackers performed reconnaissance gathering device names, configurations, users, and network details before stealing data and deploying ransomware across multiple downstream customers.
- Sophos blocked some attacks using endpoint protection, but other customers suffered encrypted devices and data theft used for double-extortion, leading Sophos to share indicators of compromise to aid defensive efforts.
- This case highlights the risk MSPs face as a single breach can impact many businesses, with DragonForce rapidly gaining prominence through affiliate-friendly ransomware-as-a-service and high-profile retail breaches in the UK.
13 Articles
13 Articles
DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider's (MSP) SimpleHelp remote monitoring and management (RMM) tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints. It's believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were
DragonForce Ransomware Actors Exploits RMM Tools to Gain Acces to organizations
Sophos Managed Detection and Response (MDR) successfully responded to a sophisticated targeted attack orchestrated by threat actors leveraging DragonForce ransomware. The attackers gained unauthorized access to a Managed Service Provider’s (MSP) remote monitoring and management (RMM) tool, SimpleHelp, using it as a conduit to deploy ransomware across multiple endpoints and exfiltrate sensitive data. This double […] The post DragonForce Ransomwar…
DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs - WorldNL Magazine
(Image credit: Getty Images) Sophos spots DragonForce ransomware attack leveraging three bugsThe flaws were found in SimpleHelp SMM platformThe victim was a major managed service provider (MSP)The DragonForce ransomware group is chaining multiple SimpleHelp vulnerabilities to breach systems, steal sensitive files, and deploy an encryptor, experts have warned.In a blog post, Sophos MDR researchers noted they were alerted to the incident when a “…
Coverage Details
Bias Distribution
- 100% of the sources are Center
To view factuality data please Upgrade to Premium
Ownership
To view ownership data please Upgrade to Vantage