Cybersecurity researchers have uncovered a sophisticated ransomware campaign targeting utility billing software providers through unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) systems.
The attack represents a concerning evolution in ransomware tactics, where threat actors are leveraging trusted remote access tools to establish persistent footholds in critical infrastructure networks and subsequently compromise downstream customers through supply chain infiltration.
The campaign exploits CVE-2024-57727, a path traversal vulnerability present in SimpleHelp versions 5.5.7 and earlier, which allows attackers to bypass authentication mechanisms and gain unauthorized access to remote systems.
.png
)
Security researchers have observed a pattern of exploitation attempts targeting organizations with unpatched SimpleHelp instances since January 2025, indicating a coordinated effort by ransomware groups to identify and compromise vulnerable RMM deployments across multiple sectors.
CISA analysts identified this threat as particularly dangerous due to its focus on utility billing software providers, which serve as intermediaries between critical infrastructure operators and end customers.
The ransomware actors are employing double extortion tactics, combining data encryption with threats to leak sensitive customer information, effectively multiplying the impact of each successful compromise.
The Cybersecurity and Infrastructure Security Agency added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog on February 13, 2025, emphasizing the active exploitation of this vulnerability in the wild.
Organizations affected by this campaign face significant operational disruptions, as the compromise of billing software providers can cascade through entire customer networks.
The attackers demonstrate sophisticated understanding of supply chain relationships, using initial access through RMM systems to pivot into customer environments and deploy ransomware payloads across multiple organizations simultaneously.
Technical analysis reveals that compromised systems often contain suspicious executables with three-letter alphabetic filenames, created after January 2025, serving as indicators of potential breach activity.
Technical Exploitation Mechanism
The vulnerability exploitation process begins with attackers scanning for internet-exposed SimpleHelp servers and identifying vulnerable versions through HTTP queries to the /allversions endpoint.
Once vulnerable instances are located, threat actors leverage the path traversal vulnerability to access the server configuration file located at /SimpleHelp/configuration/serverconfig.xml, which contains critical system information including version details and network configurations.
The attackers then exploit the vulnerability to gain administrative access, allowing them to deploy remote access services on endpoint systems by targeting specific directories including %APPDATA%\JWrapper-Remote Access on Windows, /opt/JWrapper-Remote Access on Linux, and /Library/Application Support/JWrapper-Remote Access on macOS platforms.
This multi-platform approach ensures broad compatibility across diverse organizational environments, while the manipulation of the serviceconfig.xml file in the JWAppsSharedConfig directory enables persistent remote access through registered server connections, facilitating long-term network presence for subsequent ransomware deployment and data exfiltration operations.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
