Managed Service Provider

The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems. The threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system. The attackers first performed reconnaissance on customer systems, collecting information about the MSP’s customers, device names, configurations, users, and network connections. They then attempted to steal data and deploy decryptors on customer networks, which were blocked on one network using Sophos endpoint protection. However, other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks. The breach has led to significant data theft and encryption of customer systems.

Source: https://www.bleepingcomputer.com/news/security/dragonforce-ransomware-abuses-simplehelp-in-msp-supply-chain-attack/

TPRM report: https://scoringcyber.rankiteo.com/company/managedserviceprovider

"id": "man743052825",
"linkid": "managedserviceprovider",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization's existence: Attack in which the personal and financial information is compromised"

{'affected_entities': [{'customers_affected': True,
                        'industry': 'Retail',
                        'location': 'United Kingdom',
                        'name': 'Marks & Spencer',
                        'type': 'Retailer'},
                       {'customers_affected': True,
                        'industry': 'Retail',
                        'location': 'United Kingdom',
                        'name': 'Co-op',
                        'type': 'Retailer'}],
 'attack_vector': 'Exploit of Vulnerabilities',
 'data_breach': {'data_encryption': True, 'data_exfiltration': True},
 'description': 'The DragonForce ransomware operation successfully breached a '
                'managed service provider and used its SimpleHelp remote '
                'monitoring and management (RMM) platform to steal data and '
                "deploy encryptors on downstream customers' systems.",
 'impact': {'data_compromised': True,
            'downtime': True,
            'operational_impact': True,
            'systems_affected': True},
 'initial_access_broker': {'entry_point': 'SimpleHelp RMM platform',
                           'high_value_targets': True,
                           'reconnaissance_period': True},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain, Data theft',
 'post_incident_analysis': {'root_causes': 'Exploit of older SimpleHelp '
                                           'vulnerabilities'},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'DragonForce'},
 'references': [{'source': 'Sophos Report'}, {'source': 'BleepingComputer'}],
 'response': {'containment_measures': 'Sophos endpoint protection',
              'third_party_assistance': 'Sophos'},
 'threat_actor': 'DragonForce',
 'title': 'DragonForce Ransomware Attack on Managed Service Provider',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2024-57727',
                             'CVE-2024-57728',
                             'CVE-2024-57726']}