Simple Help attacked

Hi ElectSys,

We’re sorry to hear about this exploit, particularly since it was the attack on a SimpleHelp technician’s local machine that allowed the software to be distributed.

Our request is always for additional information when security breaches such as this are reported. The more information we are presented with the easier it is for us to better understand whether SimpleHelp was compromised, the nature of the attack, and whether other SimpleHelp server are vulnerable.

From the brief information you sent us on Friday and have posted here it looks like access was gained to a technician’s machine (and thereby Administrative access to the SimpleHelp server).

Some things we suggest:

  • it is usually more feasible to automatically logout the inactive OS user rather than to specify this on an application-by-application basis. Logging out the user has advantages to locking the workstation (particularly, session tokens will automatically require renewing). Of course, if the machine has been compromised the malicious user might monitor keystrokes to subsequently gain OS-level access.

  • enabling 2FA in SimpleHelp will ensure that even if the technician’s password is compromised the malicious user won’t be able to login.

  • you can disable tools in the Access tab. It is a Technician Group permission (Toolbox > Run tools in the Access tab). This will not disable tools from running in the session.
    it was not the server log that was modified, but the history of sessions (this can be modified by any SimpleHelp administrator). There is no mechanism to modify the server-side log via the Technician Console.

Once we receive the logs we asked for we will better understand what actions were taken by this malicious user.

2 Likes