CISA warns of SimpleHelp ransomware compromises after string of retail attacks

Avatar

Ransomware gangs have been exploiting a vulnerability in remote device control software SimpleHelp during a recent string of attacks, according to federal cybersecurity officials. 

The Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that CVE-2024-57727 — a vulnerability affecting SimpleHelp’s widely-used remote access tools — was exploited to “compromise customers of a utility billing software provider.”

CISA declined to explain the timing of the advisory or what attacks it was referring to. 

SimpleHelp is remote software that lets users access and control computers from anywhere and is typically deployed by IT personnel to fix issues or monitor the functions of a device. 

“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp…since January 2025,” CISA said. 

Ransomware gangs “likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp remote monitoring and management [tool] for disruption of services in double extortion compromises.”

CVE-2024-57727 was added to CISA’s catalog of exploited vulnerabilities in February and the agency renewed its call for software vendors, downstream customers and end users to fix the bug as soon as possible.

The federal advisory links to a May 27 report from cybersecurity firm Sophos that tied the SimpleHelp exploitation campaign to the use of DragonForce ransomware against retail companies. 

The report says DragonForce is being used by multiple hacking groups, including well known operations like Scattered Spider, in recent “attacks targeting multiple large retail chains in the UK and the US.”

CISA and the FBI also noted last week that the Play ransomware has been used in conjunction with the exploitation of CVE-2024-57727. 

Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to use the same bug to exploit SimpleHelp, which is deployed by many of the gang’s U.S.-based victims.

The exploitation of issues in remote management tools like SimpleHelp continue to cause concern among defenders

Vulnerabilities in popular tools produced by ConnectWise and Kaseya have been the source of multiple ransomware and nation-state incidents over the last five years.  

Last week, CISA warned that hackers are exploiting a vulnerability in ConnectWise days after the company said it is investigating a nation-state attack on its systems that impacted some of its customers that use ScreenConnect remote management software.

CybercrimeGovernmentIndustryNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month

Next Post

Government offices in North Carolina, Georgia disrupted by cyberattacks

Related Posts

CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025. "CISA is
Avatar
Read More

Kerberoasting Detections: A New Approach to a Decade-Old Challenge

Security experts have been talking about Kerberoasting for over a decade, yet this attack continues to evade typical defense methods. Why? It’s because existing detections rely on brittle heuristics and static rules, which don’t hold up for detecting potential attack patterns in highly variable Kerberos traffic. They frequently generate false positives or miss “low-and-slow” attacks altogether.&
Avatar
Read More