Security experts are cautioning the public about two high-risk vulnerabilities found in a popular remote access tool, which are now being used by hackers to distribute LockBit ransomware. This comes just days after authorities announced that they had dismantled a notorious cybercrime group linked to Russia.
Researchers at cybersecurity companies Huntress and Sophos have reported observations of LockBit attacks after the exploitation of a set of vulnerabilities affecting ConnectWise ScreenConnect. This remote access tool is widely used by IT technicians to provide remote technical support on customer systems.
These flaws consist of two bugs – CVE-2024-1709 and CVE-2024-1708. The former is an authentication bypass vulnerability that is surprisingly easy for hackers to exploit, and has been actively taken advantage of since Tuesday after ConnectWise released a security update and urged organizations to patch their systems. The latter bug, a path traversal vulnerability, can be used with the former to remotely install malicious code on an affected system.
Sophos revealed through a post on Mastodon that they had seen “several LockBit attacks” following the exploitation of the ConnectWise vulnerabilities. They also noted two interesting points – first, that the ScreenConnect vulnerabilities are being actively exploited in the wild, and second, that despite the law enforcement operation against LockBit, some affiliates of the cybercrime group are still operational.
“Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running,” Sophos said, referring to the recent takedown of LockBit’s infrastructure by authorities.
Sophos X-Ops’ Director of Threat Research, Christopher Budd, stated through email that their findings indicate that “ScreenConnect was the start of the observed execution chain,” and that the version of ScreenConnect being used was vulnerable.
Huntress’ Senior Director of Threat Operations, Max Rogers, also confirmed that their cybersecurity company has observed instances of LockBit ransomware being spread through attacks exploiting the ScreenConnect vulnerability. Rogers declined to disclose the names of affected customers but mentioned that Huntress has observed LockBit ransomware attacks across various industries.
The infrastructure for LockBit ransomware was seized earlier this week during an international law enforcement operation led by the U.K.’s National Crime Agency. This operation resulted in the shutdown of LockBit’s public-facing websites, including their dark web leak site, which was used by the gang to publish stolen data from their victims. The leak site now hosts information uncovered by the operation exposing LockBit’s operations and capabilities.
This action, known as “Operation Cronos,” also led to the takedown of 34 servers in Europe, the U.K., and the United States, the seizure of over 200 cryptocurrency wallets, and the arrests of two alleged LockBit members in Poland and Ukraine.
“We can’t attribute [the ransomware attacks exploiting the ConnectWise vulnerabilities] directly to the larger LockBit group, but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement,” Rogers stated through email when asked if these attacks were connected to the larger LockBit group.
When questioned about whether ConnectWise has noticed any internal observations of ransomware deployments, ConnectWise’s Chief Information Security Officer, Patrick Beggs, informed TechCrunch that they have not seen any incidents as of yet.
The extent of the impact on ConnectWise ScreenConnect users is currently unknown, and ConnectWise has declined to provide numbers. Their website claims that they provide their remote access technology to over a million small to medium-sized businesses.
According to the Shadowserver Foundation, a nonprofit that collects and analyzes data on malicious internet activities, the ScreenConnect flaws are being widely exploited. In a post on X (previously known as Twitter), they stated that they have observed 643 IP addresses exploiting the vulnerabilities, and more than 8,200 servers are still vulnerable.
- Remember to use proper formatting for paragraphs, quotes, and lists.
- Use appropriate HTML tags like strong and em for emphasis.
- Try to provide a new perspective through your writing.
