Ransomware scum disrupted utility services with SimpleHelp attacks
(2025/06/13)
- Reference: 1749772538
- News link: https://www.theregister.co.uk/2025/06/12/cisa_simplehelp_flaw_exploit_warning/
- Source link:
Ransomware criminals infected a utility billing software providers' customers, and in some cases disrupted services, after exploiting unpatched versions of SimpleHelp’s remote monitoring and management (RMM) tool, according to a Thursday CISA alert.
"This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025," the security advisory [1]warned . "Ransomware actors likely exploited CVE-2024-57727 to access downstream customers' unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents."
CVE-2024-57727 is a high-severity path traversal vulnerability that affects SimpleHelp 5.5.7 and prior versions. The vendor [2]fixed the hole in January, but [3]ransomware crews reportedly exploited unpatched versions.
[4]
The cyber-defense agency's warning follows a [5]similar advisory from the feds, issued last week, about Play ransomware gang members exploiting the same SimpleHelp security flaw in double-extortion attacks. Those incidents see criminals first steal sensitive data, then encrypt victims' files, before threatening to release the stolen information online unless the victims pay up.
[6]
[7]
Play ransomware was among the [8]top five targeting critical infrastructure last year.
[9]Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
[10]DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware
[11]Ransomware scum and other crims bilked victims out of a 'staggering' $16.6B last year, says FBI
[12]'Major compromise' at NHS temping arm exposed gaping security holes
CISA's very brief advisory encourages organizations using SimpleHelp's remote-access tool to search for evidence of compromise and patch CVE-2024-57727 if they haven't already.
Neither SimpleHelp nor CISA immediately responded to The Register 's inquiries regarding the scope and scale of attacks abusing the remote-management software. We will update this story if we receive responses.
The CISA advisory also follows an earlier report about DragonForce ransomware [13]infecting a managed service provider and its customers after exploiting CVE-2024-57727.
[14]
In addition to deploying their encryptor across multiple endpoints, the criminals also stole sensitive data and double-extortion tactics to pressure the victims into paying a ransom. ®
Get our [15]Tech Resources
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
[2] https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
[3] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2025/06/04/play_ransomware_infects_900_victims/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[9] https://www.theregister.com/2025/06/04/play_ransomware_infects_900_victims/
[10] https://www.theregister.com/2025/05/28/dragonforce_ransomware_gang_sets_fire/
[11] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[12] https://www.theregister.com/2025/06/12/compromise_nhs_professionals/
[13] https://www.theregister.com/2025/05/28/dragonforce_ransomware_gang_sets_fire/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
"This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025," the security advisory [1]warned . "Ransomware actors likely exploited CVE-2024-57727 to access downstream customers' unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents."
CVE-2024-57727 is a high-severity path traversal vulnerability that affects SimpleHelp 5.5.7 and prior versions. The vendor [2]fixed the hole in January, but [3]ransomware crews reportedly exploited unpatched versions.
[4]
The cyber-defense agency's warning follows a [5]similar advisory from the feds, issued last week, about Play ransomware gang members exploiting the same SimpleHelp security flaw in double-extortion attacks. Those incidents see criminals first steal sensitive data, then encrypt victims' files, before threatening to release the stolen information online unless the victims pay up.
[6]
[7]
Play ransomware was among the [8]top five targeting critical infrastructure last year.
[9]Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
[10]DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware
[11]Ransomware scum and other crims bilked victims out of a 'staggering' $16.6B last year, says FBI
[12]'Major compromise' at NHS temping arm exposed gaping security holes
CISA's very brief advisory encourages organizations using SimpleHelp's remote-access tool to search for evidence of compromise and patch CVE-2024-57727 if they haven't already.
Neither SimpleHelp nor CISA immediately responded to The Register 's inquiries regarding the scope and scale of attacks abusing the remote-management software. We will update this story if we receive responses.
The CISA advisory also follows an earlier report about DragonForce ransomware [13]infecting a managed service provider and its customers after exploiting CVE-2024-57727.
[14]
In addition to deploying their encryptor across multiple endpoints, the criminals also stole sensitive data and double-extortion tactics to pressure the victims into paying a ransom. ®
Get our [15]Tech Resources
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
[2] https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
[3] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2025/06/04/play_ransomware_infects_900_victims/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[9] https://www.theregister.com/2025/06/04/play_ransomware_infects_900_victims/
[10] https://www.theregister.com/2025/05/28/dragonforce_ransomware_gang_sets_fire/
[11] https://www.theregister.com/2025/04/24/ransomware_scum_and_other_crims/
[12] https://www.theregister.com/2025/06/12/compromise_nhs_professionals/
[13] https://www.theregister.com/2025/05/28/dragonforce_ransomware_gang_sets_fire/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEuiSLmg8AEuYzOUtI0YbgAAAtA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/