Cyberattacks on SimpleHelp RMM observed
Attackers abuse vulnerabilities in SimepleHelp RMM to compromise networks. Updates are available.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
Criminals are abusing vulnerabilities in the SimpleHelp RMM remote maintenance software to penetrate PCs and networks. IT security researchers have observed a campaign in which devices were initially attacked through these vulnerabilities.
In a blog post, Arctic Wolf employees write that just under a week before the discovery of this campaign, IT researchers from Horizon3.ai discovered three security vulnerabilities in SimpleHelp RMM and published information about them. There are three security vulnerabilities. The most serious one allows privilege escalation from low privileged technician access to server admin (CVE-2024-57726, CVSS 9.9, risk"critical").
Three vulnerabilities in SimpleHelp RMM
In addition, attackers can download arbitrary files from the SimpleHelp server without prior login, which Horizon3.ai classifies as the worst vulnerability of the vulnerability trio, but the CVSS rating does not reflect this (CVE-2024-57727, CVSS 7.5, high). The third vulnerability allows files to be uploaded to arbitrary locations on the SimpleHelp server, provided admin access (e.g. as SimpleHelpAdmin or technician with admin rights) is possible. On Linux, malicious actors can remotely execute commands by uploading a crontab file (CVE-2024-57728, CVSS 7.2, high).
Videos by heise
SimpleHelp RMM versions 5.3.9, 5.4.10 and 5.5.8 patch these vulnerabilities. IT managers should update as soon as possible if they have not already done so.
In the breach that Arctic Wolf analyzed, SimpleHelp's "Remote Access.exe" was already running due to a third-party support session that had previously taken place. The first sign of compromise was communication with an unauthorized SimpleHelp server instance. In the SimpleHelp session, the attackers opened a command line ("cmd.exe") and queried accounts and domain information with "net" and "nltest", for example – Tools that Windows comes with by default and are also useful servants for attackers (Living of the Land, Lotl). However, the attackers' targets remain unknown as the session was terminated before they could advance their attack.
Artic Wolf recommends uninstalling the SimpleHelp client software for ad hoc support purposes, changing passwords on SimpleHelp servers and restricting access to trusted IPs, and of course installing the security updates provided.
Topic page on cyber attacks on heise online
(dmk)
