Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
The flaws are tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 and were reported as potentially actively exploited by Arctic Wolf last week. However, the cybersecurity firm could not confirm for sure if the flaws were used.
Cybersecurity firm Field Effect has confirmed to BleepingComputer that the flaws are being exploited in recent attacks and released a report that sheds light on the post-exploitation activity.
Additionally, the cybersecurity researchers mention that the observed activity has signs of Akira ransomware attacks, though they do not hold enough evidence to make a high-confidence attribution.
Targeting SimpleHelp RMM
The attack started with the threat actors exploiting the vulnerabilities in the SimpleHelp RMM client to establish an unauthorized connection to a target endpoint.
The attackers connected from the IP 194.76.227[.]171, an Estonian-based server running a SimpleHelp instance on port 80.
Once connected via RMM, the attackers quickly executed a series of discovery commands to learn more about the target environment, including system and network details, users and privileges, scheduled tasks and services, and domain controller information.
Field Effect also observed a command that searched for the CrowdStrike Falcon security suite, likely a bypass attempt bypass.
Leveraging their access and knowledge, the attackers then proceeded to create a new administrator account named “sqladmin” to maintain access to the environment, followed by the installation of the Sliver post-exploitation framework (agent.exe).
Sliver is a post-exploitation framework developed by BishopFox that has seen increased usage over the past couple of years as an alternative to Cobalt Strike, which is increasingly detected by endpoint protection.
When deployed, Sliver will connect back to a command and control server (C2) to open a reverse shell or wait for commands to execute on the infected host.
The Sliver beacon observed in the attack was configured to connect to a C2 in the Netherlands. Field Effect also identified a backup IP with Remote Desktop Protocol (RDP) enabled.
With persistence established, the attackers moved deeper into the network by compromising the Domain Controller (DC) using the same SimpleHelp RMM client and creating another admin account (“fpmhlttech”).
Instead of the backdoor, the attackers installed a Cloudflare Tunnel disguised as Windows svchost.exe to maintain stealthy access and bypass security controls and firewalls.
Protecting SimpleHelp from attacks
SimpleHelp users are advised to apply the available security updates that address CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 as soon as possible. For more info, check the vendor’s bulletin.
Additionally, look for administrator accounts named ‘sqladmin’ and ‘fpmhlttech,’ or any others you don’t recognize, and look for connections to the IPs listed in Field Effect’s report.
Ultimately, users should restrict SimpleHelp access to trusted IP ranges to prevent unauthorized access.
