Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Cybercriminals are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to infiltrate networks, create unauthorized administrator accounts, and deploy malware, including the Sliver backdoor.

These flaws, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were disclosed in early January 2025 by researchers at Horizon3.ai.

Despite the availability of patches, unpatched systems remain vulnerable to these sophisticated attacks.

Exploitation Details

The vulnerabilities allow attackers to escalate privileges to administrator levels, upload or download files, and execute arbitrary code.

In observed cases, attackers exploited these flaws to gain initial access through compromised SimpleHelp clients.

Using commands like ipconfig and nltest, they gathered system and network information before creating administrator accounts such as “sqladmin” and “fpmhlttech.”

These accounts facilitated the installation of malicious payloads like the Sliver post-exploitation framework.

Sliver, an open-source tool originally designed for penetration testing, has been repurposed by threat actors for command-and-control (C2) operations.

The malware connects to servers hosted in Estonia and the Netherlands via encrypted communication channels, evading detection by most security tools.

Additionally, attackers deployed Cloudflare tunnels disguised as legitimate Windows processes to maintain stealthy access to compromised systems.

Attack Progression

The attacks typically begin with unauthorized access through the SimpleHelp client running on vulnerable endpoints.

Once inside, threat actors perform reconnaissance, establish persistence mechanisms, and prepare for lateral movement across networks.

In one instance, attackers targeted a domain controller (DC), creating new admin accounts and deploying a disguised Cloudflare tunnel to bypass firewalls.

Automated policies flagged suspicious behavior related to SimpleHelp software exploitation, enabling rapid response teams to isolate affected systems before ransomware deployment could occur.

To mitigate these risks, organizations using SimpleHelp RMM software should immediately apply security updates released in versions 5.3.9, 5.4.10, and 5.5.8.

Additional measures include:

• Restricting access to SimpleHelp servers by implementing IP whitelisting and multi-factor authentication (MFA).
• Actively monitoring for indicators of compromise (IoCs), such as connections to malicious IPs or the presence of unauthorized admin accounts like “sqladmin.”
• Removing unused SimpleHelp clients from systems to reduce attack surfaces.

The exploitation of SimpleHelp vulnerabilities underscores the importance of timely patch management and proactive threat detection.

While some attacks have been linked to tactics used by groups like Akira Ransomware, definitive attribution remains elusive due to the widespread adoption of similar techniques by various threat actors.

Field Effect continues to monitor this campaign and advises organizations to remain vigilant against potential follow-up attacks leveraging these vulnerabilities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free