Ransomware Group Exploits SimpleHelp RMM Vulnerability to Compromise Utility Billing Systems

Ransomware actors have compromised the customers of a utility software billing provider by exploiting a vulnerability found in the SimpleHelp Remote Monitoring and Management (RMM) tool.

An advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) indicated that this incident is part of a broader trend of attackers targeting organizations using unpatched versions of the SimpleHelp RMM since January 2025. It was identified that SimpleHelp versions 5.5.7 and earlier contain various vulnerabilities, notably a path traversal vulnerability designated as CVE-2024-57727.

CISA noted that ransomware actors utilized CVE-2024-57727 to gain access to unpatched SimpleHelp RMM installations of downstream customers, which resulted in the disruption of services through double extortion tactics. Consequently, all software vendors, downstream customers, and end users have been urged to verify potential compromises due to the SimpleHelp vulnerability and to implement necessary mitigations.

Exploitation of SimpleHelp Flaws by DragonForce

The vulnerability CVE-2024-57727 was first published in January 2025 and added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog as of February 13, 2025. This flaw allows unauthenticated remote attackers to download arbitrary files from the SimpleHelp host using crafted HTTP requests, compromising server configuration files that may include sensitive information such as server secrets and hashed user passwords.

In May, researchers from Sophos noted the deployment of DragonForce ransomware across several client networks by exploiting CVE-2024-57727 along with two other vulnerabilities disclosed in January:
– CVE-2024-57728: This high-severity flaw permits admin users to upload arbitrary files to any location in the file system through a crafted zip file.
– CVE-2024-57726: A critical vulnerability allowing low-privileged technicians to create API keys with excessive permissions.

After encrypting the data, the attackers resorted to a double extortion strategy, demanding ransoms and threatening to release stolen data.

CISA did not disclose the specific ransomware group responsible for targeting the utility software provider.

Protective Measures Against SimpleHelp Compromise

CISA has issued recommendations for software vendors, downstream customers, and end users to identify any impact from vulnerable SimpleHelp versions and mitigate related risks.

For Software Vendors

Software vendors that either embed SimpleHelp in their proprietary software or utilize it through third-party service providers should verify the SimpleHelp server version at the top of the file. If they discover that version 5.5.7 or an earlier version has been in use since January 2025, they should take the following actions:
– Isolate the SimpleHelp server from the internet or cease server operations.
– Upgrade immediately to the latest SimpleHelp version to address the vulnerabilities.
– Inform all downstream customers and advise them to secure their endpoints and perform threat hunting actions on their networks.

For Downstream Customers and End Users

Downstream customers must rapidly assess whether their systems are running an unpatched version of SimpleHelp RMM, either directly or through third-party software. Specific operating system paths to check include:
– Windows: %APPDATA%JWrapper-Remote Access
– Linux: /opt/JWrapper-Remote Access
– macOS: /Library/Application Support/JWrapper-Remote Access

To confirm the SimpleHelp version on any identified endpoints, an HTTP query should be performed against the software. If version 5.5.7 or earlier is found, organizations should engage in threat hunting to search for signs of compromise and continuously monitor both inbound and outbound traffic associated with the SimpleHelp server.

If there’s no evidence of compromise, users should promptly upgrade to the latest SimpleHelp version or implement suitable workarounds if an immediate fix is unfeasible.