CISA Reveals ‘Pattern’ of Ransomware Attacks Against SimpleHelp RMM

![Picture of Arielle Waldman](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte685016783fc7faa/67ca10f9cf523d2a3ce48c04/arielle_waldman_headshot.jpg?width=100&auto=webp&quality=40&disable=upscale ‘Picture of Arielle Waldman’) [Arielle Waldman](/author/arielle-waldman), Features WriterJune 13, 2025 2 Min Read ![a laptop wrapped in Crime Scene tape](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt121d9e06e00992e3/66e1a2cd23ab25574e44ad14/Ransomware(1800)_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&format=jpg&disable=upscale ‘a laptop wrapped in Crime Scene tape’) Source: Andreas Prott via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm&title=CISA%20Reveals%20’Pattern’%20of%20Ransomware%20Attacks%20Against%20SimpleHelp%20RMM)[](mailto:?subject=CISA Reveals ‘Pattern’ of Ransomware Attacks Against SimpleHelp RMM&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20CISA%20Reveals%20’Pattern’%20of%20Ransomware%20Attacks%20Against%20SimpleHelp%20RMM%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fcisa-ransomware-attacks-simplehelp-rmm) The Cybersecurity and Infrastructure Security Agency (CISA) is urging SimpleHelp customers to patch a known vulnerability following a wave of ransomware attacks targeting downstream customers.The critical path traversal vulnerability, tracked as [CVE-2024-57727](https://nvd.nist.gov/vuln/detail/CVE-2024-57727), affects SimpleHelp’s Remote Monitoring and Management (RMM) tool versions 5.5.7 and earlier. If exploited, an unauthenticated attacker can download arbitrary files from the SimpleHelp host, including sensitive data such as configuration files and hashed user passwords. The flaw was disclosed in January, and a patch was released days later. However, it appears many instances remain vulnerable.In an advisory on June 12, CISA revealed that ransomware gangs are exploiting CVE-2024-57727 to ‘compromise downstream customers of a utility billing software provider.’ More alarmingly, the threat activity shows SimpleHelp has become a [popular target for attackers](https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack), which is particularly dangerous since it provides remote support — a key to conducting supply chain attacks on downstream customers. ‘This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025,’ CISA wrote in the [advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a), adding that the attackers ‘disrupt services in double extortion compromises.’Related:[Cyberattacks on Humanitarian Orgs Jump Worldwide](/cyberattacks-data-breaches/attacks-humanitarian-orgs-jump-worldwide)Apply Mitigations ‘Immediately’——————————-Exploitation activity appears to be ongoing, and many SimpleHelp customers remain unpatched. CVE-2024-57727 is also one of ‘several’ vulnerabilities affecting SimpleHelp versions 5.5.7 and earlier, CISA warned. SimpleHelp can be embedded or bundled with third-party software products. As such, CISA instructed third-party vendors, downstream customers, and end users to ‘immediately’ apply several mitigations, including upgrades and patches, and isolate SimpleHelp server instances from the Internet. Mitigations apply to all critical infrastructure organizations, CISA added.The federal agency also urged third-party vendors and managed service providers (MSPs), which [commonly use SimpleHelp](https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack) to monitor and manage their customer networks, to take proactive measures. One recommendation highlighted the increased importance of integrating the [software bill of materials](https://www.techtarget.com/whatis/definition/software-bill-of-materials-SBOM) (SBOM) into products. SBOM aims to bolster supply chain security by reducing the number of vulnerabilities introduced from the start. To defend against ransomware attacks, it’s important to maintain effective backups for data recovery and to ensure that remote desktop protocols (RDPs), which attackers use to gain initial access, are not exposed to the Internet. Communication with third-party vendors is also important to ensure they have effective RMM security controls in place. CISA’s advisory reminded organizations that the agency does not encourage victims to pay a ransom.Related:[‘Librarian Ghouls’ Cyberattackers Strike at Night](/cyberattacks-data-breaches/librarian-ghouls-cyberattackers-strike) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm&title=CISA%20Reveals%20’Pattern’%20of%20Ransomware%20Attacks%20Against%20SimpleHelp%20RMM)[](mailto:?subject=CISA Reveals ‘Pattern’ of Ransomware Attacks Against SimpleHelp RMM&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20CISA%20Reveals%20’Pattern’%20of%20Ransomware%20Attacks%20Against%20SimpleHelp%20RMM%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fcisa-ransomware-attacks-simplehelp-rmm) About the Author—————-![Arielle Waldman](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte685016783fc7faa/67ca10f9cf523d2a3ce48c04/arielle_waldman_headshot.jpg?width=400&auto=webp&quality=40&disable=upscale ‘Arielle Waldman’) [Arielle Waldman](/author/arielle-waldman) Features Writer , Dark Reading Arielle Waldman is a Boston-based features writer for Dark Reading covering all things cybersecurity. [See more from Arielle Waldman](/author/arielle-waldman) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa3135&ch=drwebbutton) More Insights Webinars* [Threat Intelligence for Security Operations: Gathering Tactical Data to Combat Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_defa8555&ch=SBX&cid=_upcoming_webinars_8.500001568&_mc=_upcoming_webinars_8.500001568)Jun 17, 2025* [DevSecOps Achievement Unlocked](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo315&ch=SBX&cid=_upcoming_webinars_8.500001559&_mc=_upcoming_webinars_8.500001559)Jun 19, 2025* [The Rising Role of Machine Learning and Artificial Intelligence in Enterprise Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_palo304&ch=SBX&cid=_upcoming_webinars_8.500001571&_mc=_upcoming_webinars_8.500001571)Jun 24, 2025* [Securing the Hybrid Workforce: Challenges and Solutions](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_okta40&ch=SBX&cid=_upcoming_webinars_8.500001569&_mc=_upcoming_webinars_8.500001569)Jun 25, 2025* [The State of Software Supply Chain Security: Priorities, Progress -& Persistent Gaps](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_bits18&ch=SBX&cid=_upcoming_webinars_8.500001567&_mc=_upcoming_webinars_8.500001567)Jun 26, 2025[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] Strategic Security for the Modern Enterprise](https://ve.informaengage.com/virtual-events/strategic-security-for-the-modern-enterprise/?ch=sbx&cid=_session_16.500334&_mc=_session_16.500334)Jun 26, 2025* [-[Virtual Event-] Anatomy of a Data Breach](https://ve.informaengage.com/virtual-events/an-anatomy-of-a-data-breach-and-what-to-do-if-it-happens-to-you/?ch=sbx&cid=_session_16.500333&_mc=_session_16.500333)Jun 18, 2025* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events)You May Also Like*** ** * ** ***

Related Tags:
CVE-2024-57727

NAICS: 56 – Administrative And Support And Waste Management And Remediation Services

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 561 – Administrative And Support Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Blog: Dark Reading

Gather Victim Org Information: Business Relationships

Associated Indicators:

Threat Intel Solutions

CISA Reveals ‘Pattern’ of Ransomware Attacks Against SimpleHelp RMM

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us