Sliver malware spread via SimpleHelp RMM exploits

BleepingComputer reports that vulnerable SimpleHelp Remote Monitoring and Management instances impacted by the CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 flaws have been targeted to deliver the Sliver post-exploitation framework that has gained traction as a Cobalt Strike alternative.

Initial exploitation of SimpleHelp RMM vulnerabilities to link with a targeted endpoint is followed by the execution of several discovery commands obtaining system and network data, domain controller details, and CrowdStrike Falcon information, according to an analysis from cybersecurity provider Field Effect. Access to the targeted environment is then ensured by threat actors through the establishment of a new admin account and the eventual deployment of the Sliver malware, which waits for further commands to establish persistence. Attackers then proceeded to use the same SimpleHelp RMM client and another admin account to compromise the domain controller and distribute a Windows svchost.exe-spoofing Cloudflare Tunnel for covert compromise, said Field Effect. Immediate remediation of flawed SimpleHelp RMM clients has been urged.