In recent news, attackers have potentially exploited vulnerabilities in the SimpleHelp remote monitoring and management solution to gain initial access to healthcare organizations.
On January 13, 2025, researchers from Horizon3.ai uncovered three critical vulnerabilities affecting SimpleHelp’s server component. These vulnerabilities allowed attackers to download files from the SimpleHelp server, extract access credentials from configuration files, elevate their privileges to admin, and perform various malicious actions such as uploading files, executing commands, or accessing remote machines with the SimpleHelp client support application installed. The researchers emphasized that these flaws were easy to reverse and exploit. Upon notification, the SimpleHelp developers swiftly created patches and released a fixed version of the server package to address these vulnerabilities. They also provided guidelines to customers on how to reduce the risk of exploitation.
Following the discovery of these vulnerabilities, Arctic Wolf researchers reported observing a campaign on January 22, 2025, involving unauthorized access to devices running SimpleHelp RMM software. The attack targeted devices where the SimpleHelp Remote Access.exe process was already running in the background due to a previous support session from a third-party vendor. The threat actors initiated unauthorized communications from the SimpleHelp client process to an unapproved SimpleHelp server instance. They also engaged in account and domain enumeration through a cmd.exe process activated via a SimpleHelp session, using tools like net and nltest. While the attackers were unable to progress further in their activities as the session was terminated, the incident raised concerns about potential data breaches and unauthorized access.
Arctic Wolf Labs mentioned that due to the absence of on-premises SimpleHelp servers, their visibility into the exploitation of vulnerabilities was limited. However, they shared specific indicators of compromise (IOCs) with affected third-party vendors to help mitigate the risk.
One of the possible victims of this attack could be InteleShare (formerly Ambra Image Exchange), a platform/service used by healthcare organizations for diagnostic imaging. The platform’s status page revealed a security advisory about the SimpleHelp vulnerability, urging customers to take precautionary measures and monitor their systems for any signs of compromise. Intelerad, the company managing InteleShare, deployed additional security monitoring and vowed to discontinue the use of SimpleHelp with their products to prevent future vulnerabilities.
Despite efforts to address the security breach, information about the exact number of affected organizations remains undisclosed. Intelerad has been contacted for further details, and updates will be provided as more information becomes available. The incident underscores the importance of robust cybersecurity measures in safeguarding critical infrastructure and sensitive data from evolving cyber threats.