A threat actor leveraging DragonForce ransomware exploited a chain of vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) in SimpleHelp, a legitimate remote monitoring and management (RMM) tool used by the MSP. The attacker compromised the MSP’s SimpleHelp server instance, then pushed the ransomware payload to its client organizations. Before deployment, the attacker gathered sensitive data from multiple customer estates, including device configurations, user details, and network connections.Sophos MDR detected the attack early, preventing full ransomware deployment on at least one client (a Sophos-protected entity). However, the breach exposed the MSP’s infrastructure and its clients to potential data exfiltration, operational disruption, and financial extortion. The incident mirrors prior DragonForce attacks on UK retailers, where affiliates combined ransomware-as-a-service (RaaS) tools with social engineering tactics. The MSP engaged Sophos Rapid Response for forensics, but the scale of data exposure across its client base remains unclear. The attack underscores risks in supply-chain compromises via trusted RMM tools.
TPRM report: https://www.rankiteo.com/company/reliable-i.t-systems-company
"id": "rel809090225",
"linkid": "reliable-i.t-systems-company",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'multiple (including at least '
'one Sophos client)',
'type': 'Managed Service Provider (MSP)'},
{'industry': ['various',
'including healthcare (historically '
'targeted)'],
'type': 'MSP Clients'}],
'attack_vector': ['exploitation of vulnerabilities (CVE-2024-57727, '
'CVE-2024-57728, CVE-2024-57726)',
'compromised RMM tool (SimpleHelp)',
'lateral movement via MSP'],
'data_breach': {'data_exfiltration': ['likely (reconnaissance data '
'collected)'],
'sensitivity_of_data': ['medium (operational and network '
'data)'],
'type_of_data_compromised': ['device names',
'configurations',
'user data',
'network connections']},
'description': 'A threat actor using the DragonForce ransomware compromised '
'an unnamed managed service provider (MSP) and deployed '
'malware onto its client organizations via SimpleHelp, a '
'legitimate remote monitoring and management (RMM) tool. The '
'attack exploited a chain of vulnerabilities (CVE-2024-57727, '
'CVE-2024-57728, CVE-2024-57726) released in January 2025, '
'which allowed compromise of SimpleHelp server instances and '
'deployment of malicious payloads to client machines. Sophos '
'MDR detected the attack via a suspicious SimpleHelp installer '
'file and intervened to prevent ransomware deployment on at '
'least one client network. The MSP engaged Sophos Rapid '
'Response for digital forensics and incident response.',
'impact': {'brand_reputation_impact': ['potential reputational damage to MSP '
'and affected clients'],
'operational_impact': ['unauthorized access to MSP client estates',
'collection of device names, '
'configurations, users, and network '
'connections'],
'systems_affected': ["MSP's SimpleHelp RMM server",
'client machines with SimpleHelp client '
'software']},
'initial_access_broker': {'entry_point': ['exploited vulnerabilities in '
'SimpleHelp RMM tool '
'(CVE-2024-57727, CVE-2024-57728, '
'CVE-2024-57726)'],
'high_value_targets': ['MSP client estates',
'device configurations',
'user data',
'network connections']},
'investigation_status': 'ongoing (digital forensics and incident response in '
'progress)',
'motivation': ['financial gain', 'data exfiltration (potential)'],
'post_incident_analysis': {'root_causes': ['unpatched vulnerabilities in '
'SimpleHelp RMM tool',
'lack of detection for suspicious '
'installer activity']},
'ransomware': {'data_encryption': ['attempted (prevented on at least one '
'client network)'],
'data_exfiltration': ['likely (reconnaissance phase)'],
'ransomware_strain': 'DragonForce'},
'references': [{'source': 'Sophos MDR Incident Report'}],
'response': {'communication_strategy': ['public disclosure via Sophos',
'sharing of indicators of compromise'],
'containment_measures': ['shut down attacker access to at least '
'one client network'],
'incident_response_plan_activated': True,
'remediation_measures': ['digital forensics',
'incident response by Sophos Rapid '
'Response'],
'third_party_assistance': ['Sophos MDR',
'Sophos Rapid Response']},
'threat_actor': 'DragonForce (Ransomware-as-a-Service cartel)',
'title': 'DragonForce Ransomware Attack via Compromised MSP Using SimpleHelp '
'RMM Tool',
'type': ['ransomware', 'supply chain attack', 'vulnerability exploitation'],
'vulnerability_exploited': ['CVE-2024-57727',
'CVE-2024-57728',
'CVE-2024-57726']}