SimpleHelp RMM vulnerabilities may have been exploited to breach healthcare orgs
Attackers may have leveraged vulnerabilities in the SimpleHelp remote monitoring and management solution to gain initial access to healthcare organizations.
About the vulnerabilities
On January 13, 2025, Horizon3.ai researchers revealed their discovery of three vulnerabilities affecting SimpleHelp’s server component, which would allow attackers to:
- Download files from the SimpleHelp server (e.g., log and configuration files)
- Use access credentials extracted from config files to authenticate to the server, elevate their privileges to admin, and upload files, execute commands, or even access remote machines with the SimpleHelp client support application installed (if the “unattended access” option is switched on).
The researchers said that the flaws “are trivial to reverse and exploit.”
They’ve notified the SimpleHelp developers, who promptly created patches and a fixed version of the SimpleHelp server package and advised customers on how to minimize the risk of exploitation.
The detected attack
Arctic Wolf researchers shared last week that on January 22, 2025, they “began observing a campaign involving unauthorized access to devices running SimpleHelp RMM software as an initial access vector”.
SimpleHelp’s Remote Access.exe process had already been running in the background on those devices, they said, due to a previous support session from a third-party vendor.
“The first signs of compromise were communications from the [SimpleHelp] client process to an unapproved SimpleHelp server instance. The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further,” they added.
The Arctic Wolf Labs team told Help Net Security that they could not fully confirm whether the vulnerabilities were exploited because the SimpleHelp server is off-premises, and that limits their visibility.
Possible victims
While Arctic Wolf couldn’t disclose the identity of the third-party vendor, they said the vendor informed customers about a campaign affecting SimpleHelp and shared a few specific indicators of compromise (IOCs).
The information shared on the status page for InteleShare (formerly Ambra Image Exchange), a platform/service healthcare organizations use to upload, store and exchange diagnostic imaging, could be pointing to the victim(s), though.
“We would like to inform you of a recently discovered security vulnerability in SimpleHelp (version 5.5.7 and earlier), a remote support and desktop management software used to support many InteleShare clients,” Intelerad – the company running the platform – stated on January 21, and advised customers to get their security team to read a knowledge article containing known IOCs and check their systems.
“Should you notice any IOCs present on your systems our recommendation is to consult with your Security Team immediately regarding device isolation,” the company noted a day later.
A final update came yesterday. “We have deployed additional security monitoring of our client’s InteleShare environments. If we detect any activity in your environment related to the SimpleHelp vulnerability that we believe is a potential indicator of compromise, we will contact you immediately,” the company said.
“If your team detects a compromise, please notify Intelerad Support immediately through the Intelerad Service Portal. Additionally, we will not be using SimpleHelp in conjunction with any of our Intelerad products going forward.”
Unfortunately, the knowledge article are inaccessible to unregistered users, but the timeline of the notices and the mentioning of instructions for “config file verification” point to potential exploitation of one or more vulnerabilities discovered by Horizon3.ai researchers.
How many supported organizations were ultimately hit by the attackers is unknown.
Help Net Security has reached out to Intelerad for more information, and we’ll update this article when we know more.
Update: January 30, 2025 – 1:34 PM ET
Intelerad sent us the following comment:
We are aware of the security vulnerability discovered in SimpleHelp, a remote support tool used by many of our InteleShare clients. While Intelerad does not manage the SimpleHelp software directly, the protection of our clients’ data is our top priority. As a precautionary measure, we have disabled SimpleHelp software for all clients and are actively investigating the issue. We will provide an update if and when more information becomes available.