The DragonForce Ransomware operation successfully breached a managed service provider and leveraged its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy Encryptors on downstream customers’ systems.
Following the breach, Sophos began investigating the attack and believes the threat actors exploited a chain of older SimpleHelp Vulnerabilities, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to gain access to the system.
SimpleHelp is a commercial remote support and access tool widely used by MSPs to manage systems and deploy software across customer networks.
According to Sophos, the threat actors first utilized SimpleHelp to perform reconnaissance on customer systems. This included collecting information about the MSP’s customers, such as device names, configurations, users, and network connections.
Subsequently, the attackers attempted to steal data and deploy encryptors on customer networks. While one network blocked the attack using Sophos endpoint protection, the threat actors successfully encrypted devices and stole data from other customers for double-extortion purposes.
To assist organizations in defending against similar threats, Sophos has shared indicators of compromise (IOCs) related to the attack.
MSPs have long been attractive targets for ransomware gangs, as a single breach can enable widespread attacks on multiple companies. In fact, some ransomware affiliates have specialized in exploiting tools commonly used by MSPs, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya.
Consequently, such tactics have led to devastating incidents, including REvil’s massive Ransomware attack on Kaseya, which affected over 1,000 companies.
DragonForce gains notoriety following UK retail attacks
The DragonForce Ransomware gang has recently surged in notoriety after threat actors linked it to a wave of high-profile retail breaches, using Scattered Spider tactics.
As initially reported by BleepingComputer, the group’s ransomware was deployed in attacks targeting the United Kingdom retailer Marks & Spencer. Shortly afterward, the same threat actors breached another UK retailer, Co-op, which confirmed that a significant amount of customer data had been stolen.
BleepingComputer previously reported that DragonForce is actively trying to build a “cartel” by offering a white-label Ransomware-as-a-service (RaaS) model. This approach allows affiliates to deploy Rebranded versions of its Encryptor.
With this increasingly affiliate-friendly strategy and a growing roster of victims, DragonForce is quickly emerging as a major player in the ransomware landscape.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
