The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity advisory highlighting the exploitation of unpatched SimpleHelp Remote Monitoring and Management (RMM) software by ransomware actors. This advisory focuses on the targeting of a utility billing software provider’s customers, marking a continuation of a pattern observed since January 2025, where ransomware groups exploit unpatched versions of SimpleHelp RMM.
SimpleHelp versions 5.5.7 and earlier are vulnerable, particularly to the path traversal vulnerability identified as CVE-2024-57727. This vulnerability has been exploited to gain access to downstream customers’ systems, leading to service disruptions and incidents of double extortion. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog on 13 February 2025.
CISA recommends mitigation strategies for SimpleHelp RMM users
In response, CISA advises organisations using SimpleHelp RMM to search for signs of compromise, apply necessary patches or workarounds, and adhere to the Known Exploited Vulnerabilities Catalog.
The mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) created by CISA and the National Institute of Standards and Technology (NIST). The CPGs outline a basic set of practices and protections recommended by CISA and NIST for all organisations. Based on existing cybersecurity frameworks and guidance, the CPGs aim to safeguard against the most prevalent and significant threats, tactics, techniques, and procedures.
Recently, the DragonForce ransomware group compromised a managed service provider (MSP) by exploiting SimpleHelp RMM, as reported by Sophos. The attackers used older vulnerabilities, including CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to access data and deploy encryptors on customer systems.
Sophos noted that the attackers initially utilised SimpleHelp for reconnaissance, gathering information on device configurations and network connections. Although Sophos’ endpoint protection blocked the attack on one network, other customers experienced data theft and encryption. Sophos has released Indicators of Compromise (IOCs) to help organisations strengthen their defences against such threats.
Ransomware groups are increasingly targeting MSPs due to their potential for widespread impact. Tools like SimpleHelp, ConnectWise ScreenConnect, and Kaseya are frequently exploited, as evidenced by the REvil ransomware attack on Kaseya, affecting over 1,000 companies.
DragonForce has been involved in notable breaches, including attacks on UK retailers Marks & Spencer and Co-op, resulting in significant customer data theft. The group is reportedly developing a “cartel” through a white-label ransomware-as-a-service (RaaS) model, allowing affiliates to deploy customised encryptors.
In a related advisory, CISA, in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), warned of the Medusa ransomware compromising over 300 critical infrastructure entities across the US. This advisory, part of the “#StopRansomware: Medusa Ransomware” initiative, details the tactics and techniques used by Medusa ransomware actors. The advisory also provides indicators of compromise and detection methods, noting that Medusa, a RaaS variant, targets various industries, including healthcare, education, and technology.
