Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Cybercriminals are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to infiltrate networks, create unauthorized administrator accounts, and deploy malware, including the Sliver backdoor.

These flaws, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were disclosed in early January 2025 by researchers at Horizon3.ai.

Despite the availability of patches, unpatched systems remain vulnerable to these sophisticated attacks.

Exploitation Details

The vulnerabilities allow attackers to escalate privileges to administrator levels, upload or download files, and execute arbitrary code.

In observed cases, attackers exploited these flaws to gain initial access through compromised SimpleHelp clients.

Using commands like ipconfig and nltest, they gathered system and network information before creating administrator accounts such as “sqladmin” and “fpmhlttech.”

These accounts facilitated the installation of malicious payloads like the Sliver post-exploitation framework.

Sliver, an open-source tool originally designed for penetration testing, has been repurposed by threat actors for command-and-control (C2) operations.

The malware connects to servers hosted in Estonia and the Netherlands via encrypted communication channels, evading detection by most security tools.

Additionally, attackers deployed Cloudflare tunnels disguised as legitimate Windows processes to maintain stealthy access to compromised systems.

Attack Progression

The attacks typically begin with unauthorized access through the SimpleHelp client running on vulnerable endpoints.

Once inside, threat actors perform reconnaissance, establish persistence mechanisms, and prepare for lateral movement across networks.

In one instance, attackers targeted a domain controller (DC), creating new admin accounts and deploying a disguised Cloudflare tunnel to bypass firewalls.

Automated policies flagged suspicious behavior related to SimpleHelp software exploitation, enabling rapid response teams to isolate affected systems before ransomware deployment could occur.

To mitigate these risks, organizations using SimpleHelp RMM software should immediately apply security updates released in versions 5.3.9, 5.4.10, and 5.5.8.

Additional measures include:

• Restricting access to SimpleHelp servers by implementing IP whitelisting and multi-factor authentication (MFA).
• Actively monitoring for indicators of compromise (IoCs), such as connections to malicious IPs or the presence of unauthorized admin accounts like “sqladmin.”
• Removing unused SimpleHelp clients from systems to reduce attack surfaces.

The exploitation of SimpleHelp vulnerabilities underscores the importance of timely patch management and proactive threat detection.

While some attacks have been linked to tactics used by groups like Akira Ransomware, definitive attribution remains elusive due to the widespread adoption of similar techniques by various threat actors.

Field Effect continues to monitor this campaign and advises organizations to remain vigilant against potential follow-up attacks leveraging these vulnerabilities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!