Cybersecurity researchers have uncovered an active hacking campaign exploiting vulnerabilities in SimpleHelp's Remote Monitoring and Management (RMM) software. The attackers are using these security flaws to gain unauthorized network access and deploy malicious tools.
Field Effect researchers identified that hackers leveraged recently patched SimpleHelp vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to compromise target systems. These flaws could enable information disclosure, privilege escalation, and remote code execution if left unpatched.
In the documented attack, hackers gained initial access through a vulnerable SimpleHelp RMM instance hosted in Estonia. The attackers then created a rogue administrator account named "sqladmin" and deployed Sliver, an open-source attack framework, for maintaining persistent access.
The hackers attempted to expand their reach across the network by establishing connections between the domain controller and the compromised SimpleHelp client. They also tried setting up a Cloudflare tunnel to secretly route malicious traffic through legitimate infrastructure.
Security teams detected and stopped the attack before the Cloudflare tunnel became operational. Researchers noted that if left unchecked, the tunnel could have been used to deliver additional malware, including ransomware.
The attack patterns share similarities with previous Akira ransomware campaigns from 2023, though other threat actors may have adopted similar techniques.
Organizations using SimpleHelp RMM software should immediately update to versions 5.3.9, 5.4.10, or 5.5.8, which contain patches for these vulnerabilities. The incident highlights how attackers quickly exploit newly discovered security flaws in remote management tools to compromise corporate networks.