Full Report
The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider's (MSP) SimpleHelp remote monitoring and management (RMM) tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints. It's believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were
Analysis Summary
# Incident Report: DragonForce Ransomware Attack via Compromised MSP RMM Tool
## Executive Summary
Threat actors associated with the DragonForce ransomware group exploited three critical vulnerabilities in an unnamed Managed Service Provider's (MSP) SimpleHelp Remote Monitoring and Management (RMM) tool to gain initial access. This allowed them to conduct reconnaissance on downstream customers, exfiltrate data, and deploy ransomware across multiple victim endpoints. The attack sequence highlights an evolving ransomware ecosystem leveraging supply chain compromise as a key entry vector.
## Incident Details
- Discovery Date: Date not explicitly stated, followed assessment of suspicious SimpleHelp installer activity.
- Incident Date: Attack began shortly after or concurrent with the disclosure/exploitation of CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 in January 2025.
- Affected Organization: Unnamed Managed Service Provider (MSP) and its downstream customers.
- Sector: Managed Service Provider/Technology Services.
- Geography: Not explicitly disclosed, though related high-profile attacks mentioned targeting the U.K. retail sector.
## Timeline of Events
### Initial Access
- Date/Time: Believed to start around or after January 2025 disclosure of vulnerabilities.
- Vector: Exploitation of three critical vulnerabilities in the SimpleHelp RMM tool (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726).
- Details: Attackers accessed the MSP's SimpleHelp deployment hosted for customer management.
### Lateral Movement
- Date/Time: Implied to occur over a period before ransomware deployment (dwell time referenced later).
- Vector: Use of the compromised RMM instance to pivot into customer environments.
- Details: Threat actors leveraged the RMM access to collect information on customer environments, including device names, configurations, user accounts, and network connections.
### Data Exfiltration/Impact
- Date/Time: Attackers reportedly dwelled on the network for nine days before attempting locker deployment.
- Vector: Data theft followed by ransomware deployment (double-extortion likely).
- Details: Data theft occurred across multiple downstream customers, paving the way for double-extortion threats. Ransomware (DragonForce locker) was dropped on several endpoints, though attacks were ultimately thwarted by at least one client.
### Detection & Response
- Date/Time: Detection followed Sophos investigation of suspicious activity.
- Vector: Detection via suspicious installation of a SimpleHelp installer file pushed through a legitimate RMM channel.
- Details: Sophos was alerted, leading to an investigation. At least one impacted client successfully shut down the attackers' access, mitigating further compromise.
## Attack Methodology
- Initial Access: Exploitation of unpatched security flaws in SimpleHelp RMM tools (CVEs).
- Persistence: Likely established persistence within the RMM infrastructure, using legitimate access mechanisms to maintain a foothold across client environments.
- Privilege Escalation: Not explicitly detailed, but RMM exploitation inherently grants high-level access. Possible collaboration with groups known for privilege escalation (e.g., Scattered Spider's focus on identity).
- Defense Evasion: Using a legitimate, trusted RMM tool to bypass traditional perimeter defenses.
- Credential Access: Information gathering on users and configurations suggests credential harvesting was attempted or executed within customer environments.
- Discovery: Performed reconnaissance on customer environments, collecting details on device names, configurations, users, and network connections.
- Lateral Movement: Movement extended from the compromised MSP infrastructure to affect multiple downstream customer networks via the trusted RMM channel.
- Collection: Gathering system and user information from targeted customer environments.
- Exfiltration: Data theft occurred among several downstream customers.
- Impact: Deployment of DragonForce ransomware and data theft leading to double-extortion attempts.
## Impact Assessment
- Financial: Loss associated with incident response, recovery, and potential ransom payments (not quantified).
- Data Breach: Data theft occurred across multiple downstream customers (specific volume/type not detailed, but implied sensitive organization/device data).
- Operational: Business disruption occurred for affected customers due to ransomware deployment; one client managed to halt access.
- Reputational: Negative impact on the MSP due to supply chain compromise and subsequent service disruption for clients.
## Indicators of Compromise
- Network indicators: Access originating via or through the compromised SimpleHelp RMM infrastructure.
- File indicators: Suspicious installation of a SimpleHelp installer file being pushed legitimately.
- Behavioral indicators: Suspicious execution/file drop activity channeled through the RMM platform.
## Response Actions
- Containment Measures: At least one client successfully shut down the attackers' network access.
- Eradication Steps: Not detailed, but would involve patching SimpleHelp vulnerabilities and resetting credentials compromised via the RMM.
- Recovery Actions: Restoring systems affected by the ransomware deployment.
## Lessons Learned
- Criticality of Third-Party Software: Vulnerabilities in widely used RMM tools pose an extreme supply chain risk, capable of affecting numerous clients simultaneously.
- Patching Timeliness: The exploitation occurred following the disclosure of critical CVEs, highlighting the danger of delayed patching in internet-facing tools like RMMs.
- Evolving Threat Landscape: DragonForce's model promotes fragmentation and cartel-like operation, requiring adaptive security strategies.
- Potential Collaboration: The incident suggests potential collaboration in the initial access phase, possibly involving groups like the identity-focused Scattered Spider.
## Recommendations
- Immediately patch or isolate all instances of SimpleHelp RMM to address CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728.
- Review and restrict the capabilities of RMM tools, minimizing default permissions and access scope where possible.
- Implement rigorous oversight for software pushed via RMM tools, treating them as potentially compromised channels until fully verified.
- Enhance monitoring of remote management software traffic for anomalous file execution or reconnaissance behavior within customer environments.