Cybercriminals are exploiting two dangerous vulnerabilities in the ConnectWise ScreenConnect remote access software to deploy the LockBit ransomware virus. This indicates that the resources of the hacker group of the same name continue to work, at least partially.
Cybersecurity experts at Huntress and Sophos reported yesterday that they had detected LockBit attacks carried out through vulnerabilities in the popular ConnectWise ScreenConnect remote access program. The attacks are carried out through two vulnerabilities. CVE-2024-1709 is an authentication bypass vulnerability and is considered “obscenely easy” to exploit – it has been in active use since last Tuesday, that is, since ConnectWise released a software update that addresses it and encouraged customers to install it. The second bug, numbered CVE-2024-1708, allows malicious code to be remotely transmitted to a vulnerable system.
Experts emphasize that, firstly, ScreenConnect vulnerabilities are actively exploited by cybercriminals in practice; secondly, despite the operation carried out by law enforcement agencies in several countries, some of the resources of the LockBit group continue to work. Earlier this week, law enforcement agencies in several countries reported a large-scale operation that resulted in the shutdown of 34 servers in Europe, the UK and the US, the confiscation of more than 200 cryptocurrency wallets, and the arrest of two alleged LockBit participants in Poland and Ukraine.
Experts who discovered a new wave of attacks said that they could not attribute it to the activities of LockBit directly, but the group has a large reach and an extensive partner network, which cannot be quickly destroyed even as part of a large-scale international operation. ConnectWise said that currently there is no widespread introduction of ransomware through the program. But, according to the Shadowserver Foundation, a non-profit organization that analyzes malicious Internet activity, the program’s vulnerabilities continue to be exploited—the day before, the threat came from 643 IP addresses, and more than 8,200 servers remained vulnerable.
If you notice an error, select it with the mouse and press CTRL+ENTER.