Simple Help attacked

Based on what we have heard so far there does not appear to be any evidence that either SimpleHelp or Avast was hacked. Rather the technician’s machine was compromised and they were logged in to both SimpleHelp and Avast and were absent at the time.

There is a logoff button in the technician preferences tab under Account (the top entry).

Regarding point 2, being able to deploy a script to multiple machines rather than having to take the same action 700 times is not a design flaw it is the entire point of the feature. There are permissions to disable this facility on a per-tech or per-tech group basis if you wish to make it unavailable but limiting this by number (e.g. 10 machines max at a time) won’t prevent a bad actor that has already gained access as an authorised user from carrying out the same attack on all the machines, it will just take them a little longer.

As with the technician console timeout, a limit would not prevent any attack from a security standpoint. Rather the focus has to be on preventing bad actors from gaining access as an authorised technician. We have a number of features in place such as MFA and technician client login IP restriction to ensure that tech accounts are secure from hack, but fundamentally if the technician logs in to SimpleHelp (or any other software, like Avast) from a compromised machine and then leaves the bad actor free to use it, whether by accident or intention, then any software on that machine that is already authenticated is open to abuse and there is really not anything that any of that software can do about it.

Remote Access service machines are not considered privileged and do not have any of the abilities of authenticated technicians, it is not possible for them to run scripts arbitrarily on other remote access services.

6 Likes