Fraud Management & Cybercrime , Governance & Risk Management , Patch Management
Attackers Rush to Exploit ScreenConnect Vulnerabilities
Ransomware, Info Stealers, Backdoors and CryptojackingHackers are on a tear to exploit unpatched ConnectWise ScreenConnect remote connection software to infect systems with ransomware, info stealers and persistent backdoors.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
The attacks observed by researchers include ransomware deployments tied to the now-defunct LockBit ransomware operation, apparently built with a leaked malware builder tool. A "significant number" of hackers are using ScreenConnect access to deploy cryptocurrency miners, said cybersecurity firm Huntress on Friday.
ConnectWise on Monday urged customers with on-premises equipment to patch two high-risk vulnerabilities affecting ScreenConnect servers and ScreenConnect clients - an entreaty that grew in urgency after security researchers published a proof of concept for an authentication bypass flaw tracked as CVE-2024-1709. The flaw has a CVSS score of 10 - the maximum possible, making it, "critical." The other flaw, tracked as CVE-2024-1708, is a high-severity path traversal vulnerability but its exploitation requires the attacker to already have administrative privileges (see: ScreenConnect Servers at High Risk as POC Becomes Public).
The Shadowserver Foundation, which tracks malicious activity, said that as of Wednesday it had found more than 8,200 vulnerable ScreenConnect instances. Attacks have originated from 643 internet protocol addresses, it said.
It is "trivial and embarrassingly easy" to exploit the authentication bypass flaw, Huntress said earlier this week. The attacker "does not require any privileges," wrote Bitdefender.
Victims include a U.S. local government 911 service - the American emergency assistance telephone number - health clinics and veterinarians, said Max Rogers, a senior director at Huntress. "When the threat actor gained access to the local government's network, they were able to access several systems associated with various government activities," including 911 as well as broader emergency services, he told Information Security Media Group.
The bug affects all ScreenConnect versions, which prompted the company to removed license restrictions on Wednesday and allow customers with expired licenses to upgrade to the latest software version.
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday added the flaw to its Known Exploited Vulnerabilities Catalog and said the flaw is "known to be used in ransomware campaigns." CISA directed all federal agencies to secure ScreenConnect servers by Feb. 29.
Cybersecurity firm Sophos in a Friday blog post said it had observed multiple attacks in the past 48 hours that deployed a LockBit ransomware payload.
The attackers deploying the ransomware used the filename enc.exe
or upd.exe
. The ransom note identified the variant as "buhtiRansom" rather than LockBit.
Sophos detected various remote access Trojans, info stealers, password stealers and other ransomware variants being deployed in this exploitation campaign. "All of this shows that many different attackers are targeting ScreenConnect," the company said.
Rogers told ISMG the LockBit deployment appears to have been compiled around Sept. 13, 2022 - about the time a LockBit developer leaked the ransomware-as-a-service group's source code. The developer was apparently upset at being made to pay out of his own pocket a $50,000 bug bounty the operation had offered for flaws in its encryptor malware. "I'm not convinced it is 'the' LockBit but candidly, the affected organizations care more about the impact and encryption than attribution or who did it," Rogers said.