Type
Campaign
Actors
Pub. date
May 28, 2025
Initial access
1-day vulnerabilitySupply chain vector
Impact
RansomOp
Observed techniques
Observed tools
Targeted technologies
Status
Finalized
Last edited
May 29, 2025 11:05 AM
DragonForce gained access to an MSP’s SimpleHelp instance and weaponized its remote management capabilities to deliver a malicious installer to client environments. Once executed, the installer enabled credential harvesting, network reconnaissance, and ransomware deployment. The attackers exploited three known vulnerabilities in SimpleHelp:
- CVE-2024-57726 (CVSS 9.9): Privilege escalation flaw.
- CVE-2024-57727 (CVSS 7.5): Path traversal vulnerability.
- CVE-2024-57728 (CVSS 7.2): Arbitrary file upload flaw.