Type
Campaign
Actors
DragonForce
Pub. date
May 28, 2025
Initial access
1-day vulnerabilitySupply chain vector
Impact
RansomOp
Observed techniques
Supply Chain CompromiseVulnerability exploitation
Observed tools
DragonForce ransomware
Targeted technologies
SimpleHelp
References
https://socradar.io/dragonforce-exploits-simplehelp-msp-ransomware/
Status
Finalized
Last edited
May 29, 2025 11:05 AM
DragonForce gained access to an MSP’s SimpleHelp instance and weaponized its remote management capabilities to deliver a malicious installer to client environments. Once executed, the installer enabled credential harvesting, network reconnaissance, and ransomware deployment. The attackers exploited three known vulnerabilities in SimpleHelp:
- CVE-2024-57726 (CVSS 9.9): Privilege escalation flaw.
- CVE-2024-57727 (CVSS 7.5): Path traversal vulnerability.
- CVE-2024-57728 (CVSS 7.2): Arbitrary file upload flaw.