Sophos recently uncovered a targeted cyberattack on a Managed Service Provider (MSP) after detecting suspicious activity involving the MSP’s remote monitoring and management (RMM) tool SimpleHelp.
The investigation revealed that a threat actor had compromised the RMM platform and used it to deploy DragonForce ransomware across multiple customer environments, exfiltrate sensitive data, and launch a double extortion campaign.
Attach Chain
Investigation revealed that the installer had been pushed through a legitimate RMM instance operated by the MSP. This compromised access enabled the attacker to scan customer environments managed by the MSP, collecting device metadata, configurations, user information, and network details.
The attack chain appears to have exploited a set of publicly disclosed vulnerabilities in SimpleHelp from January 2025, including:
-
CVE-2024-57727 – Path traversal vulnerabilities
-
CVE-2024-57728 – Arbitrary file upload
-
CVE-2024-57726 – Privilege escalation
Sophos MDR has medium confidence that this vulnerability chain was used to breach the MSP’s RMM infrastructure.
DragonForce Ransomware
DragonForce is a relatively new but rapidly emerging ransomware-as-a-service (RaaS) group, first observed in mid-2023. Known for its aggressive affiliate recruitment and competitive feature set, DragonForce recently made waves by claiming to have overtaken the infrastructure of rival group RansomHub.
Threat Intelligence reports suggest that Scattered Spider (UNC3944) a well-known ransomware affiliate formerly aligned with RansomHub has begun using DragonForce in recent attacks targeting large retail chains across the UK and the US.
Conclusion
This incident underscores the critical importance of securing RMM tools and ensuring that advanced endpoint protection and managed detection capabilities are in place—especially for MSPs who serve as high-value targets due to their access to multiple customer environments.
For organizations using RMM platforms, proactive patching, vigilant monitoring, and layered defense strategies are more crucial than ever.
Source: hxxps[://]news[.]sophos[.]com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/
Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
