Exploiting Three Security Flaws
The DragonForce attackers appear to have chained together three known vulnerabilities in SimpleHelp’s RMM software that were made public in January and patched by the company soon after.Bad actors exploited CVE-2024-57727, a multiple path traversal vulnerability that allowed unauthorized remote attackers to download arbitrary files—such as server configuration files containing secrets and hashed user passwords—from the SimpleHelp host via crafted HTTP requests. A second flaw, CVE-2024-57728, allowed admin users to upload arbitrary files anywhere on the file system by uploading a specially crafted file.This can be exploited to execute arbitrary code on the host.CVE-2024-57726 allows low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role.The vulnerabilities were found in SimpleHelp’s remote support software v5.5.7 and before.
Hackers Turn Their Eyes to RMM Tools
The attack is the latest example of the growing popularity of RMM and other remote tools for software supply chain attacks, giving cybercrime groups a way to easily target a large user base. Threat intelligence vendors have been documenting RMM software targeting for initial payloads that can lead to ransomware, phishing, and other attacks.Because of the wide use of such tools to help manage client IT environments, MSSPs and MSPs with cybersecurity practices have become targets of threat groups. With RMM software, security service providers can deploy patches, ensure the security of endpoints, troubleshoot systems, and run other tasks without having to be on-site.Such tools have become popular as IT environments are increasingly distributed.In a report last year, CrowdStrike researchers found a 70% increase in the use of RMM tools in cyberattacks. Earlier this year, Proofpoint analysts wrote of a rapid expansion in the use of RMM software by threats actors – particularly in first-stage use cases – apparently at the expense of other popular tools, including loaders and botnet malware, which initial access brokers (IABs) use to get access into compromised systems and then sell that access.
Blending In and Evading Detection
Cybersecurity firm Intel471 in a report in March wrote that RMM tools – which include AnyDesk, Atera Agent, MeshAgent, NetSupport Manager, Quick Assist, ScreenConnect, Splashtop, and TeamViewer – are attractive to bad actors for the same reasons MSSPs and MSPs use them, such as easy and unobtrusive access to systems.“Detecting malicious actions using RMM tools is difficult because they are so widely used and deeply integrated into IT workflows,” the vendor wrote. “RMM is legitimate software, so these applications are unlikely to be flagged as malware. Abusing RMM tools offers a distinct advantage over remote access tools (RATs), which are custom-designed malware tools that need to employ other techniques, such as valid signing certificates, to avoid being flagged by security software.”Tom Barnea, a security specialist with security firm Varonis, wrote last year that the “primary advantage for attackers using RMM tools is their ability to blend in and evade detection, as these tools and their traffic are typically ‘ignored’ by both security controls and organizational security policies, such as application whitelisting.”At the same time, Barnea added, “the tactic also helps ‘script kiddies,’ less skilled hackers, who, once connected, find everything they need already installed and ready for them.”
The Changing Nature of DragonForce
In this case, the attacker was DragonForce, a group that surfaced in 2023 with a typical ransomware-as-a-service (RaaS) model that grew in popularity after group members began advertising the service on underground forums, researchers with Secureworks – now owned by Sophos – wrote last month.In March, DragonForce announced that it was rebranding as a “cartel,” with a shift in the distribution model that lets affiliates create their own brands, they wrote.“In this model, DragonForce provides its infrastructure and tools but doesn’t require affiliates to deploy its ransomware,” the researchers wrote. “Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site and .onion domain, and support services.”The move allowed DragonForce to expand its presence by appealing to a larger range of affiliates. For threat actors with limited technical skills, having an established infrastructure and tools gave them more opportunities. More sophisticated hackers could deploy their own malware without the work of creating and managing their own infrastructure.“By broadening its affiliate base, DragonForce can increase its potential for financial gain,” they wrote. “However, the shared infrastructure does introduce risk to DragonForce and its affiliates. If one affiliate is compromised, other affiliates’ operational and victim details could be exposed as well.”
