- Apple Intelligence hasn't lived up to my expectations, but these 3 upgrades could win me back
- Samsung launches One UI 8 beta - what's new and how to join
- This 230-piece Craftsman toolset is still just $99 at Lowe's
- Grab this 85-inch Samung TV and home audio bundle for $2,500 off
- Standing Together Against Scams: McAfee Joins the Global Anti-Scam Alliance | McAfee Blog
DragonForce Ransomware Leveraged in MSP Attack Using RMM Tool
A targeted cyber-attack exploiting a managed service provider’s (MSP) remote monitoring and management tool has resulted in ransomware deployment and data theft across several client networks.
The incident, identified and partly contained by Sophos Managed Detection and Response (MDR), involved the DragonForce ransomware-as-a-service (RaaS) operation.
The attack began when a threat actor accessed the MSP’s SimpleHelp remote monitoring and management (RMM) tool. From there, they pushed a malicious installer to multiple endpoints, gaining control of several client systems.
Sophos researchers believe with medium confidence that the attacker exploited a combination of three vulnerabilities disclosed earlier this year:
- CVE-2024-57727: Path traversal vulnerabilities
- CVE-2024-57728: Arbitrary file upload flaw
- CVE-2024-57726: Privilege escalation issue
Once inside, the attackers exfiltrated sensitive client data and used DragonForce ransomware to encrypt systems. The group adopted a double extortion strategy, demanding ransom while threatening to leak stolen data.
The breach was first detected through an anomalous SimpleHelp installer.
Sophos said it traced the activity back to the MSP’s RMM instance and found the attacker had gathered detailed information across multiple customer environments, including device names, user data and network configurations.
One client, protected by Sophos XDR and enrolled in MDR services, avoided the ransomware attack entirely. According to the security firm, behavioral detection and swift incident response actions neutralized the threat before damage occurred.
However, other clients without MDR coverage were affected by both data loss and ransomware encryption.
Sophos Rapid Response has since been engaged to assist the MSP with forensics and containment.
A Rising Threat Actor
DragonForce, which surfaced in mid-2023, has recently shifted to a distributed affiliate model and branded itself as a “cartel.” This rebranding aligns with its efforts to broaden its affiliate base.
The group recently claimed to have taken over RansomHub infrastructure, a move that’s drawn significant attention within the cyber-threat community.
Reports suggest well-known ransomware affiliates, including Scattered Spider (UNC3944), have adopted DragonForce in recent attacks. These campaigns have targeted well-known retail businesses in both the UK and the US.
