Ddos 
Source: horizon3
Security researchers at Arctic Wolf have uncovered a new campaign exploiting vulnerabilities in SimpleHelp RMM software to gain initial access to devices.
The campaign, first observed on January 22, 2025, involves threat actors leveraging recently disclosed vulnerabilities in SimpleHelp to compromise devices running the software. These vulnerabilities, publicly disclosed by Horizon3 a week prior, could allow attackers to download and upload arbitrary files, and escalate privileges to gain administrative access.
The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, have the potential to cause severe damage. These flaws could enable attackers to:
- Download arbitrary files from a SimpleHelp server.
- Upload arbitrary files with administrative privileges.
- Escalate privileges to gain administrative access on SimpleHelp servers.
“If a threat actor chains these vulnerabilities together and gains administrative access to a SimpleHelp server, they could theoretically use it to compromise devices running the SimpleHelp client software,” warns Arctic Wolf. While Arctic Wolf noted that it is not yet confirmed whether these vulnerabilities were directly exploited in this campaign, the risks remain significant.
The attack observed by Arctic Wolf began with SimpleHelp’s Remote Access.exe process, which had been left running in the background after prior legitimate use. Key stages of the attack included:
- Unauthorized Connections: The SimpleHelp client communicated with an unapproved SimpleHelp server.
- Reconnaissance: Threat actors used tools such as
netandnltestviacmd.exeto enumerate accounts and domain information. - Session Termination: The attack was disrupted before further actions could be carried out.
The report emphasizes, “SimpleHelp and other similar RMM tools are a potentially attractive target to threat actors because they can be abused to blend in with legitimate activity.”
To mitigate the risks associated with SimpleHelp, Arctic Wolf strongly advises organizations to take the following steps:
- Upgrade to Patched Versions: Ensure your SimpleHelp servers are updated to the latest fixed versions:
- 5.5.x → 5.5.8 (Installer)
- 5.4.x → 5.4.10 (Patch)
- 5.3.x → 5.3.9 (Patch) Follow organizational patching guidelines to avoid operational disruptions.
- Uninstall Unused Clients: Remove SimpleHelp client software installed for ad-hoc support sessions that are no longer in use to reduce the attack surface.
- Enhance Access Controls:
- Rotate administrator and technician passwords regularly.
- Restrict IP addresses allowed to log into SimpleHelp servers to known, trusted locations.
- Monitor Network Traffic: Look for suspicious communications between SimpleHelp clients and unauthorized server instances.