1. Forum
  2. tqwNet
  3. TQW GENTECH

  • DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs

    From TechnologyDaily@1337:1/100 to All on Wednesday, May 28, 2025 10:45:08
    DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs

    Date:
    Wed, 28 May 2025 09:40:37 +0000

    Description:
    DragonForce group found stealing files and deploying encryptors through known vulnerabilities.

    FULL STORY ======================================================================Sophos spots DragonForce ransomware attack leveraging three bugs The flaws were
    found in SimpleHelp SMM platform The victim was a major managed service provider (MSP)

    The DragonForce ransomware group is chaining multiple SimpleHelp vulnerabilities to breach systems, steal sensitive files, and deploy an encryptor, experts have warned.

    In a blog post , Sophos MDR researchers noted they were alerted to the incident when a suspicious installation of a SimpleHelp installer file was spotted on the system of a Managed Service Provider (MSP).

    That provider ended up suffering a ransomware infection, but one of its clients was enrolled with the companys MDR and had XDR endpoint protection deployed, alerting the researchers. White label model

    SimpleHelp is a self-hosted remote support and remote access software. In January 2025, it was found to be carrying three vulnerabilities: a multiple path traversal flaw (CVE-2024-57727), an arbitrary file upload vulnerability (CVE-2024-57728), and a privilege escalation flaw (CVE-2024-57726).

    Now, Sophos says DragonForce hackers are chaining these three to deploy the ransomware.

    The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients, the researchers explained.

    The attacker also used their access through the MSPs RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.

    Sophos did not name the victim, or the third party that successfully thwarted the attack.

    DragonForce has been rather active in recent times. In late April 2025, it
    was reported the group had introduced a new business model to the ransomware scene, one which involves cooperating with other gangs.

    Apparently, the group was seen offering a white-label affiliate model, allowing others to use their infrastructure and malware while branding
    attacks under their own name.

    With this model, affiliates won't need to manage the infrastructure and DragonForce will take care of negotiation sites, malware development and data leak sites. You might also like Cisco security flaw exploited to build botnet of thousands of devices Take a look at our guide to the best authenticator
    app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/dragonforce-ransomware-hacks-simplehelp -rmm-tool-to-attack-msps


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)