DragonForce Ransomware Strikes MSP in Supply Chain Attack

DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs.







The DragonForce ransomware gang attacked a managed service provider's (MSP) remote monitoring and management (RMM) tool in order to conduct a supply chain attack.



This news comes from Sophos, which today published research concerning an unnamed MSP and an attack conducted by DragonForce, a gang that emerged in 2023 and has become known for its unique ransomware-as-a-service (RaaS) scheme. The group exploited a chain of three vulnerabilities in the remote monitoring and management (RMM) tool SimpleHelp before deploying its ransomware at multiple endpoints and hitting downstream customers.



The MSP supply chain attack marks only the latest activity of a group that is quickly becoming one of the more popular options for affiliate hackers in the criminal underworld.



DragonForce Attacks SimpleHelp Bugs



SimpleHelp is a customer support and remote access tool used in a number of business scenarios; however, like many other remote access tools, it's also a popular target for threat actors looking to get high-level access either through vulnerabilities (as in this case) or tech support scams/social engineering attacks.



The flaws, which became public in January, include multiple path traversal vulnerabilities collectively tracked as CVE-2024-57727; an arbitrary file upload vulnerability CVE-2024-57728; and a privilege escalation vulnerability CVE-2024-57726.



A spokesperson for SimpleHelp tells Dark Reading that the set of severe vulnerabilities affects SimpleHelp versions 5.5.7 and earlier, and "within 48 hours [of being notified of the bugs], we'd investigated, developed and verified our fixes against each, and released an update."



The spokesperson adds, "Most of our customers update very soon after we issue a new release, or in this case did so following our security bulletins. To our knowledge, none who updated to a secured release (or applied the patches we made available for free to users on older releases) within the following days have been affected by exploitation of these vulnerabilities. Unfortunately, the CVEs and details of the vulnerability were then made public shortly thereafter and before some of our customers had updated. We take security extremely seriously and we continue to invest in proactive measures to strengthen our security posture."



Customers are advised to update their SimpleHelp instances to a fixed version if they have not yet done so.



Sophos said its managed detection and response (MDR) product detected a "suspicious installation of a SimpleHelp installer file" on a client's computer and noted that "the installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by [an] MSP for their clients."



In addition to maliciously pushing the SimpleHelp instance to customers, the attacker used access to the MSP to gain access to many of its customers. One of the MSP's clients was able to shut down attacker access to the network via MDR and extended detection and response (XDR) capabilities, but a number of other downstream customers were impacted by ransomware and data theft, leading to double-extortion attacks.



DragonForce: "Customer-Centric" Ransomware



Sophos was unable to say whether it was DragonForce itself or one of its affiliates that conducted the MSP attack, but regardless, the campaign further illustrates how the threat actor is quickly gaining traction in the underground ecosystem.



That's in part because of its "customer-centric" practices; it utilizes a unique model that enables affiliates to use their own "branding" on top of DragonForce's infrastructure and tools, if they so choose, in addition to deploying the gang's ransomware wholesale. On March 31, prolific RaaS gang RansomHub's leak site went offline, with some of its members seemingly moving over to DragonForce in some capacity.



And on top of strange signs of hostile takeovers, DragonForce apparently defaced the leak sites of the BlackLock and Mamona ransomware gangs around the same time it announced it would become a "cartel" on March 19, according to Sophos research published last week. The gang also claimed high profile attacks against UK retailers Harrods, Marks & Spencer, and Co-op.



Rafe Pilling, director of threat intelligence at Sophos' Counter Threat Unit, tells Dark Reading that, from a promotional standpoint, DragonForce is one of the most aggressive he's seen since LockBit.



"[DragonForce is] one of the most prominent brands right now, aggressively advertising in underground forums," Pilling says. "They also offer a favorable profit share (80/20 split) in favor of the affiliate/partner, which is likely to motivate groups to work with them. Currentl, they are not the most active group in terms of ransomware incidents — Akira holds that spot — but we may see that change over the next few months."



Christiaan Beek, senior director of threat analytics at Rapid7, calls DragonForce "an attractive hub for unaffiliated or displaced threat actors, particularly in the aftermath of RansomHub's disappearance in April." Beek says more than 70 publicly reported attacks have been linked to the group to date.



"DragonForce does not appear to discriminate based on industry or geography, and they are increasingly representative of the ransomware-as-a-service model’s new era: one defined by flexibility, anonymity, automation, and aggressive double-extortion tactics," he says. "As trust in legacy RaaS operators wanes, DragonForce is positioning itself as a new and lucrative alternative."



According to Coveware by Veeam CEO Bill Siegel, DragonForce is yet another actor in the cycle of gangs breaking up, rebranding, and being replaced, and it joins the long list of groups making bold statements for marketing attention. Moreover, it seems less like a classic cartel with a tightly run operation and more like a loose, constantly changing network.



"We're seeing more new group names pop up, more big claims of power, and more partnerships between actors. It all points to a competitive marketplace where groups fight for attention, affiliates, and reputation," he says. "DragonForce's aggressive branding fits right in. It's more about standing out and recruiting than improving how attacks are actually done. If anything, their rise shows how ransomware has become more decentralized and easier to get into."



As DragonForce often focuses on credential and data theft, Sophos advised defenders to implement endpoint detection for infostealer activity, deploy password managers, enforce strict identity verification protocols for IT and help desk engagements, and conduct regular tabletop exercises.



© https://www.darkreading.com/applicat...y-chain-attack