DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers

Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.

Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025:

• CVE-2024-57727: Multiple path traversal vulnerabilities
• CVE-2024-57728: Arbitrary file upload vulnerability
• CVE-2024-57726: Privilege escalation vulnerability

To read the complete article see: full article