Hackers Exploit SimpleHelp RMM Flaws to Deploy Sliver Malware

Cybercriminals have recently been targeting vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) software to gain unauthorized access, deploy malware, and possibly pave the way for future ransomware attacks. The vulnerabilities in question are tracked as CVE-2024–57726, CVE-2024–57727, and CVE-2024–57728, which were reported last week by cybersecurity firm Arctic Wolf. While Arctic Wolf suggested these flaws may be actively exploited, it couldn’t conclusively confirm their active use. However, further investigation by cybersecurity firm Field Effect has confirmed that the vulnerabilities are being actively exploited, providing more insight into the post-exploitation activity of threat actors.

The Exploitative Process

The attack begins with hackers exploiting the flaws in the SimpleHelp RMM client to create an unauthorized connection to the target endpoint. SimpleHelp RMM software allows IT professionals to remotely manage and troubleshoot systems, making it an attractive target for cybercriminals seeking to infiltrate networks without being detected.

The malicious actors initially connected from an Estonian-based IP address (194.76.227[.]171), where a SimpleHelp instance was running on port 80. By exploiting the vulnerabilities in the RMM client, they were able to bypass the normal security protocols and gain access to the victim’s network. Once connected to the remote system, the attackers quickly ran a series of discovery commands aimed at gathering valuable information about the target environment. This included details on the system and network, user privileges, scheduled tasks, services, and domain controller information.

In particular, Field Effect observed a command designed to detect the presence of CrowdStrike Falcon, an endpoint protection suite. This is likely a deliberate attempt by the attackers to identify and bypass any security measures that might be in place to detect malicious activity.

Establishing Persistence

Once the attackers had gathered enough information, they proceeded with escalating their privileges and solidifying their foothold in the network. They created a new administrator account, labeled “sqladmin,” which granted them persistent access to the compromised system. Following this, they installed the Sliver post-exploitation framework on the infected host.

Sliver is a popular post-exploitation tool developed by BishopFox, which has gained significant traction over the past couple of years. It has become an attractive alternative to Cobalt Strike, another widely used post-exploitation framework, especially since Cobalt Strike is increasingly detected by modern endpoint protection systems.

Sliver operates by establishing a reverse shell, connecting back to a command-and-control (C2) server to await further instructions. The beacon observed during this attack was configured to connect to a C2 located in the Netherlands. Additionally, a backup IP with Remote Desktop Protocol (RDP) enabled was discovered, suggesting that the attackers were prepared for a broader range of control mechanisms, increasing their ability to maintain access to the victim’s environment.

Moving Further Into the Network

The attackers did not stop at compromising individual systems. They sought to move laterally within the target network by focusing on the Domain Controller (DC). Using the same SimpleHelp RMM client, they established another administrator account named “fpmhlttech.” This new account allowed them to escalate their access further and explore additional parts of the network.

Rather than relying on traditional backdoors, the attackers installed a Cloudflare Tunnel, cleverly disguised as the legitimate Windows process “svchost.exe.” This technique helped maintain stealthy access, as it bypassed security controls, firewalls, and traditional endpoint detection tools. The use of Cloudflare Tunnel allowed the attackers to disguise their malicious activity, making it more difficult for security professionals to identify the compromise.

Signs of Ransomware Activity

As the attackers deepened their access to the compromised environment, researchers from Field Effect observed indications that the attack may be linked to Akira ransomware campaigns. Akira ransomware is a relatively new player in the ransomware space, but its popularity has been rising, especially due to its sophistication and ability to evade detection.

While there is no concrete evidence at this time to definitively attribute the attack to Akira ransomware, the observed tactics, techniques, and procedures (TTPs) align with those seen in previous Akira ransomware operations. This suggests that ransomware may be the end goal of the attackers, even if it hasn’t been deployed in this instance.

Recommendations for SimpleHelp Users

In light of these findings, users of SimpleHelp RMM software are strongly advised to take immediate action to protect their systems and networks from further compromise. Below are some key recommendations for mitigating the risk posed by these vulnerabilities:

Apply Security Patches: SimpleHelp users should promptly apply the available security updates that address CVE-2024–57726, CVE-2024–57727, and CVE-2024–57728. These updates are designed to fix the vulnerabilities being exploited in the wild. Users should refer to the vendor’s official security bulletin for more details on how to update their systems.

Monitor for Unusual Accounts: It is recommended that administrators look for any unfamiliar administrator accounts within the system, such as “sqladmin” and “fpmhlttech.” These accounts were created by the attackers to maintain their foothold within the compromised network, and they should be immediately reviewed and deleted if found.

Check for Suspicious Connections: Security professionals should also check for any unusual connections to IP addresses listed in Field Effect’s report. Specifically, look for connections to IPs associated with the C2 server in the Netherlands and any backup IPs that may have RDP enabled. Blocking these IP addresses can prevent further unauthorized access to the network.

Restrict RMM Access: To mitigate the risk of future attacks, SimpleHelp users should restrict access to their RMM client to trusted IP ranges only. This will prevent unauthorized actors from exploiting the vulnerabilities in the first place. If possible, implement multi-factor authentication (MFA) for RMM access, which can provide an additional layer of security.

Implement Network Segmentation: Network segmentation is a critical security measure that can prevent attackers from moving laterally within a compromised environment. By isolating critical systems and sensitive data, organizations can limit the damage caused by a breach and make it more difficult for attackers to gain full control of the network.

Review Endpoint Security Measures: Organizations should also review their endpoint protection tools to ensure they are up to date and capable of detecting modern post-exploitation frameworks like Sliver. Endpoint detection and response (EDR) tools should be configured to identify and block unusual behavior patterns associated with tools like Sliver and Cobalt Strike.

Conduct Post-Exploitation Analysis: If an organization suspects they have been compromised, it is essential to conduct a thorough post-exploitation analysis. This includes investigating all systems for signs of malware, unauthorized accounts, and suspicious activity. A full forensic investigation should be performed to assess the extent of the breach and determine any data exfiltration or ransomware deployment.

Conclusion

The exploitation of SimpleHelp RMM vulnerabilities to deploy Sliver malware is a stark reminder of the importance of patching vulnerabilities and maintaining strong security hygiene. While the immediate goal of the attackers may not have been ransomware deployment, the use of advanced tools like Sliver and the signs of Akira ransomware suggest that ransomware could be on the horizon. As the cybersecurity landscape continues to evolve, organizations must remain vigilant, apply timely updates, and implement layered defenses to protect their networks from evolving threats.