Management (RMM) clients to gain administrative control, install backdoors, and possibly set the stage for ransomware deployment.
The vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were initially flagged by Arctic Wolf as potential attack vectors last week. While the firm could not verify active exploitation, cybersecurity company Field Effect has now confirmed their abuse in ongoing cyberattacks.
Field Effect shared its findings with BleepingComputer, highlighting that the attack patterns bear similarities to Akira ransomware activity. However, researchers lack definitive evidence to attribute these attacks with high confidence.
The breach begins when attackers exploit SimpleHelp RMM vulnerabilities to gain unauthorized access to a target system. The initial connection originates from IP address 194.76.227[.]171, linked to an Estonian server running a SimpleHelp instance on port 80.
Once inside, the attackers execute reconnaissance commands to gather information on system architecture, user privileges, network configurations, scheduled tasks, services, and Domain Controller (DC) details. Researchers also observed a specific command attempting to identify the CrowdStrike Falcon security suite, likely as part of an evasion strategy.
Levera
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: