Summary
Sophos Managed Detection and Response (MDR) recently intervened in a targeted cyberattack against an unnamed Managed Service Provider (MSP), where threat actors leveraged vulnerabilities in the SimpleHelp remote monitoring and management (RMM) platform to deploy DragonForce ransomware across multiple endpoints. Attackers exploited vulnerabilities CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, initially disclosed in January 2025, to achieve remote execution, arbitrary file upload, and privilege escalation. Utilizing a double-extortion strategy, the attackers not only encrypted data but also exfiltrated sensitive information to pressure victims into ransom payment.
Community Impact
The use of MSP infrastructure to launch ransomware attacks significantly amplifies the threat to retail and hospitality sectors, as many RH-ISAC organizations rely heavily on MSP-managed IT environments. As such, Core Members are advised to maintain situational awareness around the exploitation of CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, review the intelligence included here, and ingest the indicators of compromise, provided below.
Analysis
The threat actor’s methodology in this incident demonstrates a sophisticated, multi-stage attack leveraging a critical exploit chain in SimpleHelp. The initial compromise involved exploiting CVE-2024-57727 (Multiple Path Traversal), which allows unauthenticated remote attackers to download arbitrary files, including serverconfig.xml containing hashed credentials, which facilitated the subsequent authentication. Once authenticated, the attacker exploited CVE-2024-57726 (Privilege Escalation), rated with a CVSS v3.1 score of 9.9 (Critical), which allows low-privileged technicians to create API keys with excessive permissions to escalate to server admin. Finally, with elevated privileges, the attacker leveraged CVE-2024-57728 (Arbitrary File Upload), a zip slip vulnerability (CVSS v3.1: 7.2), to upload the DragonForce ransomware binary and other malicious executables. The RMM tool’s legitimate functionalities were then co-opted to deploy the ransomware across multiple client endpoints.
Indicators of Compromise
Sophos has provided the following indicators of compromise for recommended review and ingestion:
Indicator Type | Data | Note |
File Path | C:ProgramDataJWrapper-Remote AccessJWAppsSharedConfigworkingtoolbox-9759076704687761247win.exe | DragonForce ransomware binary |
SHA256 | cee6a7663fad90c807c9f5ea8f689afd0e4ece04f8c55d7a047a7215db6be210 | DragonForce ransomware binary |
Filename | PUSH PUSh PUUUUUSH.bat | Batch script to list and clear all Windows Event logs |
File Path | C:Users<user>VideosPUSH PUSh PUUUUUSH.bat | Batch script to list and clear all Windows Event logs |
