icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Not-so-SimpleHelp Exploits Enabling Deployment of Sliver Backdoor

Summary:
Field Effect thwarted a cyberattack where an threat actor exploited newly discovered vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) client to gain unauthorized access to a targeted network. The vulnerabilities CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, disclosed by Horizon3.ai last month, could lead to information disclosure, privilege escalation, and remote code execution if exploited. These issues were addressed in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8, which were released on January 8 and 13, 2025.

The attack initiated after the actor connected to the network via a vulnerable SimpleHelp client from an IP address in Estonia. Upon successful connection, they quickly executed various post-compromise tactics, such as discovering system details, enumerating user accounts, and identifying network information.

The attacker proceeded to escalate their access, creating an administrator account called "sqladmin." This account was further used to install a backdoor, agent[.]exe, designed to maintain persistent access even if the RMM client was removed. Notably, the agent.exe binary exhibited features consistent with the Sliver post-exploitation tool, a modular tool written in Go that provides command-and-control capabilities and is capable of evading traditional security measures. After learning the location of the target’s domain controller, the attackers attempted to install a cloudflared tunnel masquerading as the legitimate svchost.exe process to avoid detection.

Security Officer Comments:
According to Field Effect, its Managed Detection and Response (MDR) system triggered an high-severity alert, leading to a swift analyst investigation and the isolation of the affected endpoint. This further prevented the actor from deploying ransomware or gaining deeper control over the network.

The TTPs employed in the latest attack, particularly the installation of a cloudflared tunnel, are similar to those seen in a campaign attributed to the Akira Ransomware group in May 2023. However, due to insufficient overlap in the details, Field Effect cannot confidently attribute the attack to Akira. Field Effect notes that these TTPs are not exclusive to Akira and could also be employed by other threat actors.

Suggested Corrections:
To defend against these attacks, organizations using SimpleHelp RMM should take the following steps:
  1. Patch & update: Ensure SimpleHelp and all remote access tools are up to date to mitigate known vulnerabilities.
  2. Restrict remote access: Limit SimpleHelp access to trusted IP ranges and implement multi-factor authentication (MFA).
  3. Monitor for IoCs: Actively monitor network traffic and logs for connections to the listed malicious IPs.
  4. Audit user accounts: Regularly review administrative accounts for unauthorized additions like ‘sqladmin’ and ‘fpmhlttech’ which were observed in this incident.
  5. Threat hunting: Search for the presence of agent.exe or cloudflared.exe masquerading in unexpected locations.
Link(s):
https://fieldeffect.com/blog/field-...elp-exploits-enabling-deployment-of-backdoors

Contact Us for Threat Assistance
Back to Current Threats