A targeted cyber-attack exploiting a managed service provider\u2019s (MSP) remote monitoring and management tool has resulted in ransomware deployment and data theft across several client networks.<\/p>\n
The incident, identified and partly contained by Sophos Managed Detection and Response (MDR), involved the DragonForce ransomware-as-a-service (RaaS) operation.<\/p>\n
The attack began when a threat actor accessed the MSP\u2019s SimpleHelp remote monitoring and management (RMM) tool. From there, they pushed a malicious installer to multiple endpoints, gaining control of several client systems.<\/p>\n
Sophos researchers believe with medium confidence that the attacker exploited a combination of three vulnerabilities disclosed earlier this year:<\/p>\n
– CVE-2024-57727: Path traversal vulnerabilities
\n– CVE-2024-57728: Arbitrary file upload flaw
\n– CVE-2024-57726: Privilege escalation issue<\/p>\n
Once inside, the attackers exfiltrated sensitive client data and used DragonForce ransomware to encrypt systems. The group adopted a double extortion strategy, demanding ransom while threatening to leak stolen data.<\/p>\n
The breach was first detected through an anomalous SimpleHelp installer.<\/p>\n
Sophos said it traced the activity back to the MSP\u2019s RMM instance and found the attacker had gathered detailed information across multiple customer environments, including device names, user data, and network configurations.<\/p>\n
One client, protected by Sophos XDR and enrolled in MDR services, avoided the ransomware attack entirely. According to the security firm, behavioral detection and swift incident response actions neutralized the threat before damage occurred.<\/p>\n
However, other clients without MDR coverage were affected by both data loss and ransomware encryption.<\/p>\n
Sophos Rapid Response has since been engaged to assist the MSP with forensics and containment.<\/p>\n
DragonForce, which surfaced in mid-2023, has recently shifted to a distributed affiliate model and branded itself as a \u201ccartel.\u201d This rebranding aligns with its efforts to broaden its affiliate base.<\/p>\n
The group recently claimed to have taken over RansomHub infrastructure, a move that\u2019s drawn significant attention within the cyber-threat community.<\/p>\n
Reports suggest well-known ransomware affiliates have adopted DragonForce in recent attacks. These campaigns have targeted prominent retail businesses in both the UK and the US.<\/p>\n","protected":false},"excerpt":{"rendered":"
A targeted cyber-attack exploiting a managed service provider\u2019s (MSP) remote monitoring and management tool has resulted in ransomware deployment and…<\/p>\n","protected":false},"author":1,"featured_media":1558,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[175,119,67],"class_list":["post-1557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-cyber-attack","tag-data-theft","tag-ransomware"],"acf":[],"yoast_head":"\n