{ "name": "Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor", "slug": "not-so-simplehelp-exploits-enabling-deployment-of-sliver-backdoor", "description": "A sophisticated breach was identified where threat actors exploited vulnerabilities in SimpleHelp's Remote Monitoring and Management client to infiltrate a network. The attack involved post-compromise tactics including network discovery, administrator account creation, and persistence establishment. The threat actor connected via a vulnerable RMM client, executed discovery commands, created a new admin account, and installed a Sliver backdoor. The backdoor was configured to connect to specific IP addresses. On the domain controller, a cloudflared tunnel was installed for potential further payload deployment. The attack's TTPs resembled those of the Akira Ransomware group. A previous incident involving SimpleHelp RMM exploitation was also confirmed. Organizations are urged to update their RMM clients and adopt robust cybersecurity solutions.", "published": "2025-02-06T23:08:41+00:00", "created_at": "2025-02-06T23:08:41+00:00", "modified_at": "2025-02-07T07:22:33+00:00", "created_at_opencti": "2025-02-06T23:08:41+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-02-07", "akira", "backdoor", "cloudflared", "exploit", "lateral movement", "rmm", "simplehelp", "sliver" ], "related_entities": { "observables": [ { "id": "", "name": "45.9.149.136" }, { "id": "", "name": "45.9.148.136" }, { "id": "", "name": "213.173.45.230" }, { "id": "", "name": "194.76.227.171" }, { "id": "", "name": "45.9.149.112" }, { "id": "", "name": "15f3e5b47894b953542d2fe2353786229da47af00c96dc1b41a8efe631364e49" } ], "malware": [ { "id": "c70c9980-18de-4208-93f5-0bd2dddeb40c", "name": "Sliver", "slug": "sliver" } ], "attack_patterns": [ { "id": "6b5f1e68-aec7-4ea0-9777-62156da790a7", "name": "T1069" }, { "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5", "name": "T1135" }, { "id": "3be1a227-bbd0-4e76-9422-40e4078224f9", "name": "T1007" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0", "name": "T1136" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6", "name": "T1087" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "ccb28547-a340-4193-a5d9-69222f3d5051", "name": "T1049" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Estonia" }, { "id": "", "name": "Netherlands" }, { "id": "", "name": "Russian Federation" } ] }, "external_refs": [ "https://fieldeffect.com/blog/simplehelp-exploits-enabling-sliver-backdoor", "https://otx.alienvault.com/pulse/67a54f099fa61d1145ed0184" ] }