The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity advisory warning of ransomware hackers leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. The incident reflects a broader pattern of ransomware hackers targeting organizations through unpatched versions of SimpleHelp RMM since January this year. Critical infrastructure organizations have been urged to apply mitigations.
SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, a path traversal flaw. Ransomware actors likely exploited this vulnerability to compromise unpatched remote monitoring and management (RMM) instances, leading to service disruptions and double extortion attacks. The CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog in February this year.
CISA noted that if SimpleHelp is embedded or bundled in vendor-owned software or if a third-party service provider leverages SimpleHelp on a downstream customer’s network, then identify the SimpleHelp server version at prior is found or has been used since January, third-party vendors should isolate the SimpleHelp server instance from the internet or stop the server process; upgrade immediately to the latest SimpleHelp version under SimpleHelp’s security vulnerability advisory, and contact downstream customers to direct them to take actions to secure their endpoints and undertake threat hunting actions on their network.
Organizations must identify whether their systems are running an unpatched version of SimpleHelp RMM, either directly or embedded in third-party software. They should also check if the remote access service (RAS) is active by inspecting relevant paths on Windows, Linux, or macOS. If RAS is installed and running, they need to verify whether the registered service is vulnerable.
If an unpatched SimpleHelp version 5.5.7 or earlier is confirmed on a system, organizations should conduct threat hunting actions for evidence of compromise and continuously monitor for unusual inbound and outbound traffic from the SimpleHelp server.
CISA noted that if a system has been encrypted by ransomware, the organization must disconnect the affected system from the internet; use clean installation media (e.g., a bootable USB drive or DVD) to reinstall the operating system; ensure the installation media is free from malware; wipe the system and only restore data from a clean backup; and ensure data files are obtained from a protected environment to avoid reintroducing ransomware to the system.
In case the organization is unable to immediately identify and patch vulnerable versions of SimpleHelp, appropriate workarounds must be applied. In this circumstance, CISA recommends using other vendor-provided mitigations when available. These non-patching workarounds should not be considered permanent fixes, and organizations should apply the appropriate patch as soon as it is made available.
CISA urges organizations to implement the mitigations below in response to ransomware activity exploiting SimpleHelp software. These actions align with the cross-sector Cybersecurity Performance Goals (CPGs), developed with NIST, which outline baseline practices to defend against common and high-impact threats. The CPGs draw from existing frameworks and are recommended across critical infrastructure organizations.
To reduce intrusion risks and strengthen ransomware defenses, CISA recommends that customers of vendors and managed service providers (MSPs) follow several best practices.
Organizations should maintain a detailed asset inventory and hardware list. They should keep a clean, offline backup of critical systems to ensure data can be restored if ransomware encryption occurs. Daily backups should be performed using a separate, offline device such as a flash drive or external hard drive, and the device should be disconnected immediately after the backup is complete.
Remote services such as Remote Desktop Protocol (RDP) should not be exposed to the Internet. If exposure is necessary, organizations must implement compensating controls to prevent abuse and exploitation. They should also disable unnecessary operating system applications and network protocols on internet-facing assets.
A risk analysis should be conducted for any remote monitoring and management (RMM) software used on the network. If RMM is required, organizations should ask third-party vendors what security controls they have in place. Maintaining open communication channels with these vendors is essential to stay informed about their patch management processes.
Software vendors should consider integrating a Software Bill of Materials (SBOM) into their products. An SBOM is a formal record of all components used to build software. It helps reduce vulnerability remediation time by identifying known issues, clarifying security requirements, and managing mitigation strategies. SBOMs also support stronger supply chain risk management.
