Flaws in SimpleHelp RMM flaws exploited to breach corporate networks
Take action: If you are running SimpleHelp server, patch ASAP, rotate all SimpleHelp user passwords and audit your systems for user accounts "sqladmin" and "fpmhlttech". Hackers are already exploiting these flaws. Don't delay.
Learn More
A series of critical vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software are being actively exploited by threat actors to deploy malware and potentially prepare for ransomware attacks. The exploitation of these vulnerabilities has been confirmed by cybersecurity firm Field Effect, following initial reports of potential exploitation by Arctic Wolf.
The attack chain, as documented by Field Effect, begins with threat actors exploiting the SimpleHelp RMM vulnerabilities to establish unauthorized connections to target endpoints. The attacks have been traced to an Estonian-based server (IP: 194.76.227[.]171) running SimpleHelp on port 80.
After initial access, the attackers conduct extensive reconnaissance of the target environment, gathering system and network information, enumerating users and privileges, and collecting details about scheduled tasks, services, and domain controllers.
Following the reconnaissance phase, the attackers establish persistence through multiple methods. They create a new administrator account under the name "sqladmin" and proceed to install the Sliver post-exploitation framework, disguised as "agent.exe." Sliver, a legitimate penetration testing tool developed by BishopFox, has gained popularity among threat actors as an alternative to Cobalt Strike, which is increasingly detected by endpoint protection solutions. The deployed Sliver beacon is configured to communicate with a command and control (C2) server located in the Netherlands.
The attackers then expand their presence within the network by compromising the Domain Controller using the same SimpleHelp RMM client. They create an additional administrator account named "fpmhlttech" and install a Cloudflare Tunnel, disguised as Windows svchost.exe, to maintain stealthy access and bypass security controls and firewalls. This sophisticated approach allows them to establish persistent access while evading detection.
SimpleHelp users are strongly advised to apply the available security updates that address the three vulnerabilities immediately. Organizations should also audit their systems for unauthorized administrator accounts, particularly those named "sqladmin" and "fpmhlttech," monitor for connections to the identified malicious IPs, and restrict SimpleHelp access to trusted IP ranges only.
