On June 12, 2025, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cyber Security Advisory (CSA) which highlights ransomware actors exploiting vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) tool running software version 5.5.7 and earlier.
Initially detailed in a blog by horizon3.ai in January 2025, multiple vulnerabilities were discovered that could be used to compromise a SimpleHelp server. Most notably, multiple path traversal vulnerabilities (CVE-2024-57727) could be leveraged by remote unauthenticated attackers to download arbitrary files from the SimpleHelp server, including server configuration files where hashed passwords are stored. Should an attacker be able to successfully access the SimpleHelp administrative console, it would be possible to access downstream customer environments, exfiltrate data, and deploy ransomware.
There has been a marked uptick in the number of adversaries leveraging RMM toolsets for initial access and disguising malicious software and tool deployment with legitimate activity. Shortly after the disclosure of CVE-2024-57727, Artic Wolf released a security bulletin which highlighted adversaries that have been known to use SimpleHelp and other RMM tools, such as ConnectWise (CVE-2024-1708 and CVE-2024-1709) and Kaseya VSA (CVE 2021-30116), during their cyberattacks.
AttackIQ has previously released several emulations related to threat actors known for leveraging RMM tools:
- DragonForce Ransomware – 2024-09- Associated Tactics, Techniques and Procedures (TTPs): In May 2025, Sophos released an article describing an incident where DragonForce ransomware was deployed through a vulnerable SimpleHelp server. In that same month, AttackIQ released two new attack graphs which emulate the behaviors exhibited by DragonForce ransomware.
- [CISA AA25-071A] #StopRansomware: Medusa Ransomware: Medusa was the subject of an earlier CSA in March 2025. The reporting from CISA indicated that Medusa affiliates commonly leverage remote access software as a means to evade detection. Toolsets included SimpleHelp, PDQDeploy, ConnectionWise, and others were mentioned in the advisory. AttackIQ released an atomic test in response to AA25-071A and an attack graph late in 2024, which emulates the behaviors exhibited by Medusa Ransomware.
- [CISA AA23-061A] #StopRansomware: Royal Ransomware: This emulation was released in response to CISA Advisory AA23-061A on March 3rd, 2023. This attack graph emulates the tactics, techniques, and procedures (TTPs) observed in cyberattacks involving Royal Ransomware.
- [US-CERT AA22-321A] #StopRansomware: Hive Ransomware: This emulation was released in response to CISA Advisory AA22-321A on November 18th, 2022, and contains the tactics, techniques, and procedures (TTPs) observed in attacks caried out by Hive Ransomware.
- MuddyWater – 2020-09 – Operation Quicksand: This emulation was created based on research performed by ClearSky Cybersecurity and released in late 2020. The emulation contains the two primary attack vectors that were used during Operation Quicksand.
Reconnaissance related Activities Reported
In the same security bulletin referenced above, Artic Wolf described reconnaissance related activity performed by threat actors who were able to successfully use a SimpleHelp server as initial access vector. The threat actor was observed using nltest and net commands to enumerate user and domain information.
AttackIQ customers can emulate this behavior by running the following two scenarios in their environment.
- Enumerate Domain Controllers using Nltest
- Account Discovery using “net.exe” command
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations:
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.
Wrap-up
In summary, the recommendations described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes, and security controls against these and similar threats. With data generated from continuous testing and the use of these existing assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against known adversaries.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
