SimpleHelp flaw
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors actively target unpatched SimpleHelp Remote Monitoring and Management (RMM) instances in order to compromise customers of an unnamed utility billing software provider.
According to the agency’s advisory, this incident highlights a broader pattern in which ransomware actors have targeted organizations through unpatched versions of SimpleHelp RMM since January 2025.
Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that lead to information disclosure, privilege escalation, and remote code execution.
Since then, threat actors, including ransomware groups like DragonForce, have repeatedly exploited these vulnerabilities in the wild to breach high-value targets. For instance, last month, Sophos revealed that a Managed Service Provider’s deployment of SimpleHelp was accessed by the threat actor using these flaws. The attacker then used this access to pivot toward other downstream customers.
CISA noted that SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727. Furthermore, ransomware crews exploit these flaws to access downstream customers’ unpatched SimpleHelp instances and launch double extortion attacks.
To help organizations—particularly third-party service providers that use SimpleHelp to connect to downstream customers—mitigate this threat, CISA outlined the following actions:
- Identify and isolate SimpleHelp server instances from the internet, and update them to the latest version
- Notify downstream customers and instruct them to take necessary actions to secure their endpoints
- Conduct threat hunting operations for indicators of compromise, and monitor for unusual inbound and outbound traffic from the SimpleHelp server (including downstream customers)
- Disconnect systems from the internet if ransomware has encrypted them, reinstall the operating system, and restore data from a clean backup
- Maintain clean, offline backups on a regular basis
- Avoid exposing remote services, such as Remote Desktop Protocol (RDP), to the web
CISA strongly advises against paying ransoms, as the threat actors’ decryptors do not guarantee successful file recovery.
Moreover, CISA warned that ransom payments may embolden adversaries to target more organizations, motivate other criminal actors to distribute ransomware, and fund further illicit activities.
Fog Ransomware Attack Deploys Employee Monitoring Software
This development follows a detailed report from Broadcom-owned Symantec, which analyzed a Fog ransomware attack that targeted an unnamed financial institution in Asia. The attackers used a mix of dual-use and open-source pentesting tools not previously observed in other ransomware intrusions.
Fog, a ransomware variant first detected in May 2024, operates similarly to other financially motivated operations. The threat actors use compromised virtual private network (VPN) credentials and exploit system Vulnerabilities to infiltrate an organization’s network. They then exfiltrate data before encrypting it.
In some cases, the attackers have used alternate infection sequences involving Windows shortcut (LNK) files embedded in ZIP archives. They distribute these archives via email and phishing attacks. Once executed, the LNK file downloads a PowerShell script, which drops a Ransomware loader containing the Fog locker payload.
Moreover, the attackers employ advanced techniques to escalate privileges and evade detection. They inject malicious code directly into memory and disable security tools. Notably, Fog can target both Windows and Linux endpoints.
According to Trend Micro, by April 2025, Fog threat actors had claimed 100 victims on their data leak site since the beginning of the year. Most victims belonged to the technology, education, manufacturing, and transportation sectors.
Symantec noted a particularly unusual tactic: the attackers used a legitimate employee monitoring software called Syteca (formerly Ekran). Additionally, they deployed several open-source penetration testing tools—GC2, Adaptix, and Stowaway—that are rarely seen in ransomware campaigns.
Although the exact initial access vector remains unclear, researchers observed the use of Stowaway—a proxy tool commonly associated with Chinese hacking groups—to deliver Syteca. Notably, GC2 was used in 2023 attacks attributed to the Chinese state-sponsored group APT41.
The attackers also downloaded legitimate tools such as 7-Zip, FreeFileSync, and MegaSync to create compressed data archives for exfiltration purposes.
Another notable aspect of the campaign involved the creation of a persistent service on the network several days after deploying the ransomware. The attackers remained active on the network for about two weeks before triggering the Ransomware payload.
Symantec and Carbon Black researchers commented that this approach diverges from typical ransomware behavior. Normally, attackers exit the network after exfiltrating data and Deploying Ransomware. In this case, however, the actors appeared intent on maintaining access to the victim’s environment.
Given these highly uncommon tactics, analysts suggest the attackers may have had Espionage motives. They possibly deployed the Fog ransomware either to obscure their true objectives or to generate quick financial gain alongside their primary mission.
LockBit Panel Leak Reveals China Among Most Targeted
These findings also align with recent revelations showing that the LockBit Ransomware-as-a-service (RaaS) scheme claimed 156 victims and Generated approximately $2.3 million over the past six months. This data indicates that the e-crime group continues its operations despite experiencing several Setbacks.
Furthermore, Trellix’s analysis of LockBit’s Geographic targeting—based on the May 2025 admin panel leak—reveals that, from December 2024 to April 2025, Affiliates Iofikdis, PiotrBond, and JamesCraig most heavily targeted China. Other frequently attacked countries include Taiwan, Brazil, and Turkey.
“The concentration of attacks in China suggests a significant focus on this market, possibly due to its large industrial base and manufacturing sector,” explained security researcher Jambul Tologonov.
In contrast to RaaS groups like Black Basta and Conti, which occasionally probe Chinese targets without Encrypting them, LockBit seems fully willing to operate within Chinese borders. This boldness—marked by a disregard for potential political consequences—represents a notable departure from the typical approach of other Ransomware groups.
The admin panel used by LockBit allows Affiliates to generate Ransomware builds using LockBit Black 4.0 and LockBit Green 4.0 for Windows, Linux, and ESXi systems. It also grants access to victim negotiation chats. LockBit 4.0 was released by the core developers on December 19, 2024.
Following the Affiliate panel leak, LockBit responded by offering a monetary reward for Verifiable information about “xoxo from Prague,” the anonymous actor who claimed responsibility for Exposing the system.
Additionally, LockBit appears to have gained an unexpected advantage from the abrupt Shutdown of RansomHub at the end of March 2025. This Disruption Prompted several former RansomHub Affiliates—including BaleyBeach and GuillaumeAtkinson—to migrate to LockBit, pushing the group to Reactivate its operations amid ongoing development of the upcoming LockBit 5.0 version.
“What this leak truly reveals is the complex—and ultimately less glamorous—reality of their illicit ransomware activities,” Tologonov concluded. “While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they want the world to believe it is.”
Source: TheHackerNews
Read more at Impreza News
