Security experts warn that two high-risk flaws in a popular remote access tool are being exploited by hackers to deploy LockBit ransomware — a group that authorities say is a notorious Russia-linked cybercriminal organization. This is just a few days after the announcement that it had been destroyed.
Researchers from cybersecurity companies Huntress and Sophos told TechCrunch on Thursday that both companies observed the LockBit attack after exploiting a series of vulnerabilities affecting ConnectWise ScreenConnect. ConnectWise ScreenConnect is a remote access tool widely used by IT technicians to provide remote technical support to customer systems.
This flaw consists of two bugs. CVE-2024-1709, an authentication bypass vulnerability considered “embarrassingly easy” to exploit, has been actively exploited since Tuesday, just after ConnectWise released a security update urging organizations to patch it. is being carried out. Another bug, CVE-2024-1708, is a path traversal vulnerability that, when used in conjunction with other bugs, can allow remote implantation of malicious code on an affected system.
Sophos said in a post on Mastodon on Thursday that it had seen “multiple LockBit attacks” exploiting the ConnectWise vulnerability.
“There are two interesting things here. First, as others have pointed out, the ScreenConnect vulnerability is actually being actively exploited. Second, law enforcement against LockBit. Despite the activity, some affiliates appear to still be operational,” Sophos said, referring to law enforcement operations earlier this week in which it claimed to take down LockBit's infrastructure.
Christopher Budd, director of threat research at Sophos “This shows that there was,” he said.
Max Rogers, senior director of threat operations at Huntress, told TechCrunch that the cybersecurity firm is seeing LockBit ransomware deployed in attacks that exploit the ScreenConnect vulnerability.
Rogers said Huntress has seen LockBit ransomware deployed on customer systems across a variety of industries, but declined to name the affected customers.
The LockBit ransomware infrastructure was seized earlier this week as part of a broader international law enforcement operation led by the UK's National Crime Agency. The operation took down Rockbit's public websites, including a dark web leak site used by criminal organizations to publish data stolen from victims. The leak site currently contains information uncovered by a British-led operation that exposes Rockbit's capabilities and operations.
The operation, known as Operation Kronos, took down 34 servers in Europe, the UK and the US, seized more than 200 crypto wallets and arrested two alleged Rockbit members in Poland and Ukraine. It was done.
“Cannot determine the cause [the ransomware attacks abusing the ConnectWise flaws] However, it is clear that LockBit has significant influence across tools, various affiliated groups, and offshoots that have not been completely wiped out despite extensive law enforcement crackdowns,” Rogers said. told TechCrunch via email.
“This is not confirmed at this time,” Patrick Beggs, ConnectWise's chief information security officer, told TechCrunch when asked if ConnectWise was also internally monitoring the ransomware deployment.
The number of ConnectWise ScreenConnect users affected by this vulnerability remains unknown, and ConnectWise declined to provide a number. His website for the company states that the organization provides remote access technology to more than 1 million of his small businesses.
The ScreenConnect flaw has been “widely exploited,” according to the Shadowserver Foundation, a nonprofit organization that collects and analyzes data on malicious Internet activity. The nonprofit organization made the announcement Thursday. In the post of Xformerly known as Twitter, announced that it has confirmed that 643 IP addresses are exploiting the vulnerability so far, adding that more than 8,200 servers remain vulnerable.