The DragonForce ransomware group recently infiltrated a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring platform to access client networks, steal data, and launch encryption attacks.
Sophos, which investigated the breach, believes the attackers exploited multiple vulnerabilities in older versions of SimpleHelp (CVE-2024-57726, -57727, and -57728) to gain unauthorized access. After breaching the MSP, the attackers conducted reconnaissance, gathering customer device and network information before attempting data theft and encryption across downstream networks.
While Sophos’ endpoint protection blocked the ransomware on one system, other clients suffered data loss and encryption, fueling double-extortion demands.
DragonForce has gained recent notoriety following attacks on UK retailers like Marks & Spencer and Co-op, and it’s now promoting a ransomware-as-a-service model to attract more affiliates. This attack highlights the increasing risk posed by ransomware gangs targeting MSP tools to scale their operations across multiple organizations.
Read more...