RMM attacks on the rise as DragonForce group spreads the infamous DragonForce ransomware gang is turning to remote management tools (RMM) to carry out complex cyber attacks, new reports have warned.
This approach enables ransomware attackers to achieve broad reach within victim networks, efficiently implement their malicious payloads, and inflict maximum disruption.
To quote an incident from the past, DragonForce infiltrated an MSP and its clients from their archaic RMM software, SimpleHelp, widely embraced for its adoption.
Provided access via the legitimate SimpleHelp instance of the MSP, the actor was then able to deploy a malicious installer to multiple endpoints, essentially repurposing the RMM solution as the ransomware’s own distribution network.
According to security researchers, one of the first compromises on the SimpleHelp platform was possible through the exploitation of a combination of three vulnerabilities including Path Traversal (CVE-2024-57727), an Arbitrary File Upload (CVE-2024-57728), as well as a Privilege Escalation (CVE-2024-57726).
These vulnerabilities, if left unattended, can be exploited to remotely access affected devices, upload malicious files, and escalate to full control over the compromise system.
Upon intrusion into the affected networks, the DragonForce attackers.data exfiltransensitive details to include device names, user data, and network configs. After the latter, they executed their ransomware, where they used double extortion, asking for ransom to decrypt the files and to avoid leaking the stolen data.
This latest drive underscores the very real dangers posed by the security of RMMs. Though RMM tools are crucial for IT service staff to control and troubleshoot distant systems, their built-in privilege has also turned them into easy prey for online attackers.
A RMM platform is a treasure trove for hackers who want to grab themselves a single point of entry to thousands of interconnected systems, exponentially spreading mischief and harm.
“Organizations, and particularly MSPs, should focus on securing their remote management tools,” cybersecurity experts advise. That means establishing and following security best practices including regular application of security patches, strong multi-factor authentication, limited access to RMM consoles, and ongoing monitoring for signs of misuse.
The link between traditional securities agencies and spies, and groups such as DragonForce is further evidence of the need for a thoughtful and preemptive attitude towards cyber security in a digital world.
