On 22 January 2025, Arctic Wolf began observing a campaign involving unauthorised access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728). On affected SimpleHelp servers, these vulnerabilities could allow threat actors to download arbitrary files, upload arbitrary files as an administrative user, and escalate privileges to administrative users. If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software.
While it is not confirmed that the recently disclosed vulnerabilities are responsible for the observed campaign, Arctic Wolf strongly recommends upgrading to the latest available fixed versions of the SimpleHelp server software where possible. In situations where the SimpleHelp client was previously installed on devices for third-party support sessions but isn’t actively being used for day-to-day operations, Arctic Wolf recommends uninstalling the software to reduce the potential attack surface.
Arctic Wolf has Managed Detection and Response detections in place that apply to activities observed in this campaign, and will continue to notify customers when new instances of this activity are observed.
Related Threat Activity
Historically, threat actors have been known to reverse engineer patches for vulnerabilities such as the ones described in this security bulletin to develop exploit code and gain initial access. SimpleHelp and other similar RMM tools are a potentially attractive target to threat actors because they can be abused to blend in with legitimate activity. Another noteworthy aspect is that a single compromise of a SimpleHelp server could yield intrusions across multiple supported organisations.
- Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
- Affiliates of the now-defunct REvil ransomware group have previously targeted a vulnerability in Kaseya VSA (CVE 2021-30116) to gain initial access.
- Ransomware threat actors affiliated with groups such as Royal (now operating as a spinoff group called BlackSuit), Hive, and Medusa Ransomware have demonstrated a preference for RMM tools such as SimpleHelp to establish persistence and evade detection in compromised environments.
- Iranian state-aligned groups such as MuddyWater are known to rely on SimpleHelp for persistence and to evade detection.
Attack Chain
In the activity reviewed by Arctic Wolf, SimpleHelp’s Remote Access.exe process had already been running in the background on affected devices prior to compromise for a previous support session from a third-party vendor.
The first signs of compromise were communications from the client process to an unapproved SimpleHelp server instance. The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further.
Recommendations
Upgrade SimpleHelp server software to a fixed version
Arctic Wolf strongly recommends that customers running SimpleHelp server software upgrade to the latest fixed version of SimpleHelp, as recommended on their advisory.
Product | Affected Version | Fixed Version |
SimpleHelp server | 5.5.x | 5.5.8 (installer) |
5.4.x | 5.4.10 (patch) | |
5.3.x | 5.3.9 (patch) |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Uninstall unused SimpleHelp client software from ad-hoc support sessions
In situations where the SimpleHelp client was previously installed on devices for third-party support sessions but isn’t actively being used for day-to-day operations, Arctic Wolf recommends uninstalling the software to reduce the potential attack surface.
Rotate passwords and restrict IP addresses on SimpleHelp servers
SimpleHelp recommends that organisations hosting the SimpleHelp server change the administrator password of the SimpleHelp server, rotate the passwords for Technician accounts, and restrict the IP addresses that the SimpleHelp server can expect Technician and administrator logins from.
References