Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor

Description

A sophisticated breach was identified where threat actors exploited vulnerabilities in SimpleHelp's Remote Monitoring and Management client to infiltrate a network. The attack involved post-compromise tactics including network discovery, administrator account creation, and persistence establishment. The threat actor connected via a vulnerable RMM client, executed discovery commands, created a new admin account, and installed a Sliver backdoor. The backdoor was configured to connect to specific IP addresses. On the domain controller, a cloudflared tunnel was installed for potential further payload deployment. The attack's TTPs resembled those of the Akira Ransomware group. A previous incident involving SimpleHelp RMM exploitation was also confirmed. Organizations are urged to update their RMM clients and adopt robust cybersecurity solutions.