New ScreenConnect RCE flaw exploited in ransomware attacks

Image: Midjourney

Update February 23, 07:02 EST: Sophos published a report today saying that the ransomware payloads they spotted were built using the LockBit ransomware builder leaked online by a disgruntled malware developer in late September 2022.

The samples seen by Sophos in this week's attacks were a buhtiRansom LockBit variant dropped on 30 different customer networks and a second payload created using the leaked Lockbit builder (and dropped by a different threat actor).

"On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool," Sophos explained.

"It appears that our signature-based detection correctly identified the payloads as ransomware generated by the leaked LockBit builder, but the ransom notes dropped by those payloads identified one as “buhtiRansom,” and the other did not have a name in its ransom note."

The title was revised accordingly. Original story below.

---

Attackers are exploiting a maximum severity authentication bypass vulnerability to breach unpatched ScreenConnect servers and deploy LockBit ransomware payloads on compromised networks.

The maximum severity CVE-2024-1709 auth bypass flaw has been under active exploitation since Tuesday, one day after ConnectWise released security updates and several cybersecurity companies published proof-of-concept exploits.

ConnectWise also patched the CVE-2024-1708 high-severity path traversal vulnerability, which can only be abused by threat actors with high privileges.

Both security bugs impact all ScreenConnect versions, prompting the company on Wednesday to remove all license restrictions so customers with expired licenses can upgrade to the latest software version and secure their servers from attacks.

CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog today, ordering U.S. federal agencies to secure their servers within one week by February 29.

CVE-2024-1709 is now widely exploited in the wild, according to security threat monitoring platform Shadowserver, with 643 IPs currently targeting vulnerable servers.

Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version.

Exploited in LockBit ransomware attacks

​Today, Sophos X-Ops revealed that threat actors have been deploying LockBit ransomware on victims' systems after gaining access using exploits targeting these two ScreenConnect vulnerabilities.

"In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos' threat response task force said.

"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running."

Cybersecurity company Huntress confirmed their findings and told BleepingComputer that "a local government, including systems likely linked to their 911 Systems" and a "healthcare clinic" have also been hit by LockBit ransomware attackers who used CVE-2024-1709 exploits to breach their networks.

"We can confirm that the malware being deployed is associated with Lockbit," Huntress said in an email.

"We can't attribute this directly to the larger LockBit group but it is clear that lockbit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."

LockBit dismantled in Operation Cronos

LockBit ransomware's infrastructure was seized this week after its dark web leak sites were taken down on Monday in a global law enforcement operation codenamed Operation Cronos led by the U.K.'s National Crime Agency (NCA).

As part of this joint operation, Japan's National Police Agency developed a free LockBit 3.0 Black Ransomware decryptor using over 1,000 decryption keys retrieved from LockBit's seized servers and released on the 'No More Ransom' portal.

During Operation Cronos, several LockBit affiliates were arrested in Poland and Ukraine, while French and U.S. authorities issued three international arrest warrants and five indictments targeting other LockBit threat actors. The U.S. Justice Department brought two of these indictments against Russian suspects Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord).

Law enforcement also published additional information on the group's seized dark web leak site, revealing that LockBit had at least 188 affiliates since it emerged in September 2019.

LockBit has claimed attacks on many large-scale and government organizations worldwide over the last four years, including Boeing, the Continental automotive giant, the UK Royal Mail, and the Italian Internal Revenue Service.

The U.S. State Department now offers rewards of up to $15 million for providing information about LockBit ransomware gang members and their associates.

As BleepingComputer reported today, LockBit developers were secretly working on a new malware version dubbed LockBit-NG-Dev (which would've likely become LockBit 4.0).