Security experts warn that hackers are exploiting a pair of high-risk flaws in a popular remote access tool to deploy LockBit ransomware, days after authorities announced that they had dismantled the notorious cybercrime gang linked to Russia.
Researchers at cybersecurity firms Huntress and Sophos told TechCrunch on Thursday that both had observed LockBit attacks following the exploitation of a set of vulnerabilities impacting ConnectWise ScreenConnect, a remote access tool widely used by IT technicians to provide remote technical support on customer systems.
The defects consist of two errors. CVE-2024-1709 is an authentication bypass vulnerability deemed “embarrassingly easy” to exploit, which has been under active exploitation since Tuesday, shortly after ConnectWise released security updates and urged organizations to apply patches. The other bug, CVE-2024-1708, is a path traversal vulnerability that can be used in conjunction with the other bug to remotely plant malicious code on an affected system.
In a post about mastodon On Thursday, Sophos said it had observed “several LockBit attacks” following the exploitation of the ConnectWise vulnerabilities.
“There are two things of interest here: First, as others have pointed out, ScreenConnect vulnerabilities are being actively exploited in the wild. Secondly, despite the police operation against LockBit, it appears that some affiliates are still in operation,” Sophos said, referring to the police operation earlier this week that sought to take down LockBit infrastructure.
Christopher Budd, director of threat research at Sophos
Max Rogers, senior director of threat operations at Huntress, told TechCrunch that the cybersecurity company has also seen LockBit ransomware being deployed in attacks that exploit the ScreenConnect vulnerability.
Rogers said Huntress has seen LockBit ransomware deployed on customer systems spanning a variety of industries, but declined to name the affected customers.
The LockBit ransomware infrastructure was seized earlier this week as part of a wide-ranging international police operation led by the UK's National Crime Agency. The operation took down LockBit's public websites, including its dark web leak site, which the gang used to post stolen victim data. The leak site now houses information uncovered by the UK-led operation. exposing LockBit capabilities and operations.
The action, known as “Operation Cronos”, also saw the downing of 34 servers in Europe, the United Kingdom and the United States, the seizure of more than 200 cryptocurrency wallets and the arrest of two alleged LockBit members in Poland and Ukraine .
“We cannot attribute [the ransomware attacks abusing the ConnectWise flaws] directly to the larger LockBit group, but it is clear that LockBit has a wide reach spanning tools, several affiliate groups and offshoots that have not been completely erased even with the significant takedown by law enforcement,” Rogers told TechCrunch by email.
When asked if ransomware deployment was something ConnectWise was also looking at internally, ConnectWise Chief Information Security Officer Patrick Beggs told TechCrunch that “this is not something we're looking at today.”
It is not yet known how many ConnectWise ScreenConnect users have been affected by this vulnerability, and ConnectWise declined to provide numbers. The company's website states that the organization provides its remote access technology to more than one million small and medium-sized businesses.
According to the Shadowserver Foundation, a nonprofit that collects and analyzes data on malicious activity on the Internet, ScreenConnect flaws are being “widely exploited.” The nonprofit organization said Thursday in a post on Xpreviously Twitter, which had so far observed 643 IP addresses exploiting the vulnerabilities, adding that more than 8,200 servers remain vulnerable.