Alert issued by CISA concerning potential hazards in supply chains due to ransomware attacks leveraging vulnerabilities in SimpleHelp software
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert, warning that ransomware gangs have exploited a vulnerability in the SimpleHelp remote support program to breach customers of a utility billing software vendor.
According to the alert, hackers, known as DragonForce, have been using this vulnerability in combination with others to breach unpatched systems since SimpleHelp disclosed the flaw in mid-January. The complexities of software supply chains have made it easier for these malicious actors to target vulnerable systems, as companies that supply programs to other firms sometimes unwittingly pass on vulnerabilities to those firms.
The vulnerability exploited in this case, CVE-2024-57727, is found in SimpleHelp versions 5.5.7 and earlier. CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in the advisory based on confirmed compromise or risk of compromise.
The breach of the utility billing software vendor was first reported by Sophos researchers in late May. The new CISA alert follows an earlier warning from CISA and the FBI that hackers associated with the Play ransomware gang had been targeting critical infrastructure organizations using the flaw in SimpleHelp's remote management software.
CISA encourages victims to share incident information with the FBI, including foreign IP addresses that connected to their systems, ransom notes, attackers' communications, and other details. Customers should determine whether they are running the SimpleHelp endpoint service, isolate and update those systems, and follow SimpleHelp's additional guidance.
Vendors are advised to isolate vulnerable SimpleHelp instances, update the software, and warn customers, according to CISA. Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks. The question corporate stakeholders are asking is: Are we a target?
The latest alert from CISA indicates a pattern of such attacks, as seen in the breach of the utility payment vendor. Hackers have been using sophisticated methods including phishing, exploitation of multiple CVEs, use of Cobalt Strike, and the abuse of legitimate RMM tools like SimpleHelp. While specific countries of origin were not explicitly stated in the source, DragonForce is characterized as a ransomware cartel known for global operations leveraging Ransomware-as-a-Service (RaaS) models.
As the threat landscape continues to evolve, it is crucial for organisations to stay vigilant and proactive in securing their systems. By following the guidance provided by CISA and other cybersecurity authorities, businesses can help protect themselves against such attacks.
