The DragonForce ransomware group has compromised a managed service provider (MSP), researchers have discovered, with the group exploiting the SimpleHelp remote monitoring and management (RMM) platform to access data and deploy encryptors on customer systems. Sophos, which investigated the intrusion, identified that the attackers leveraged older vulnerabilities in SimpleHelp, specifically CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to infiltrate the system.
SimpleHelp is widely used by MSPs for system management and software deployment across customer networks. According to Sophos, the attackers initially used SimpleHelp for reconnaissance, gathering information on device configurations, users, and network connections.
While Sophos’ endpoint protection managed to block the attack on one network, other customers were not as fortunate, suffering data theft and encryption in double-extortion schemes. Sophos has released Indicators of Compromise (IOCs) to aid organisations in fortifying their networks against such threats.
DragonForce targets MSPs for widespread ransomware attacks
Ransomware groups have increasingly targeted MSPs due to their potential for widespread impact. Tools like SimpleHelp, ConnectWise ScreenConnect, and Kaseya are often exploited in these attacks, as demonstrated by the REvil ransomware attack on Kaseya, which affected over 1,000 companies.
Recently, DragonForce has gained attention for high-profile breaches, including those on UK retailers Marks & Spencer and Co-op, with significant customer data theft reported. DragonForce is attempting to establish a “cartel” through a white-label ransomware-as-a-service (RaaS) model, enabling affiliates to deploy customised versions of its encryptor.
In a separate incident, MathWorks, a developer of mathematical computing and simulation software, has experienced a ransomware attack, leading to a service outage. Based in Natick, Massachusetts, MathWorks, established in 1984, employs over 6,500 staff across 34 offices globally.
The company is known for its MATLAB and Simulink platforms, used by more than 100,000 organisations and over five million users.
“MathWorks experienced a ransomware attack,” said MathWorks in an incident report. “We have notified federal law enforcement of this matter. The attack affected our IT systems. Some of our online applications used by customers became unavailable, and certain internal systems used by staff became unavailable, beginning on Sunday, May 18. We have brought many of these systems back online and are continuing to bring other systems back online with the assistance of cybersecurity experts.”
MathWorks continues to experience service disruptions following a recent ransomware attack, impacting several online services such as the cloud centre, file exchange, license centre, and MathWorks store. However, the company has managed to restore some services. On 21 May, MathWorks reinstated multi-factor authentication (MFA) and account Single Sign-On (SSO), resolving several days of signing issues that had prevented users from accessing their accounts. Despite these efforts, some customers have faced difficulties creating new accounts since Friday, and users who have not signed in since 11 October 2024 remain unable to log in.
MathWorks has not yet disclosed further details about the incident, including the identity of the ransomware group responsible or whether any customer data was compromised during the breach.
