BOOK THIS SPACE FOR AD
ARTICLE ADAttackers are exploiting a maximum severity authentication bypass vulnerability to breach unpatched ScreenConnect servers and deploy LockBit ransomware payloads on compromised networks.
The maximum severity CVE-2024-1709 auth bypass flaw has been under active exploitation since Tuesday, one day after ConnectWise released security updates and several cybersecurity companies published proof-of-concept exploits.
ConnectWise also patched the CVE-2024-1708 high-severity path traversal vulnerability, which can only be abused by threat actors with high privileges.
Both security bugs impact all ScreenConnect versions, prompting the company on Wednesday to remove all license restrictions so customers with expired licenses can upgrade to the latest software version and secure their servers from attacks.
CISA also added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog today, ordering U.S. federal agencies to secure their servers within one week by February 29.
Shodan currently tracks over 8,659 ScreenConnect servers, while only 980 are running the ScreenConnect 23.9.8 patched version.
Exploited in LockBit ransomware attacks
Today, Sophos X-Ops revealed that threat actors have been deploying LockBit ransomware on victims' systems after gaining access using exploits targeting these two ScreenConnect vulnerabilities.
"In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos' threat response task force said.
"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running."
Cybersecurity company Huntress confirmed their findings and told BleepingComputer that "a local government, including systems likely linked to their 911 Systems" and a "healthcare clinic" have also been hit by LockBit ransomware attackers who used CVE-2024-1709 exploits to breach their networks.
"We can confirm that the malware being deployed is associated with Lockbit," Huntress said in an email.
"We can't attribute this directly to the larger LockBit group but it is clear that lockbit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."
LockBit dismantled in Operation Cronos
LockBit ransomware's infrastructure was seized this week after its dark web leak sites were taken down on Monday in a global law enforcement operation codenamed Operation Cronos led by the U.K.'s National Crime Agency (NCA).
As part of this joint operation, Japan's National Police Agency developed a free LockBit 3.0 Black Ransomware decryptor using over 1,000 decryption keys retrieved from LockBit's seized servers and released on the 'No More Ransom' portal.
During Operation Cronos, several LockBit affiliates were arrested in Poland and Ukraine, while French and U.S. authorities issued three international arrest warrants and five indictments targeting other LockBit threat actors. The U.S. Justice Department brought two of these indictments against Russian suspects Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord).
Law enforcement also published additional information on the group's seized dark web leak site, revealing that LockBit had at least 188 affiliates since it emerged in September 2019.
LockBit has claimed attacks on many large-scale and government organizations worldwide over the last four years, including Boeing, the Continental automotive giant, the UK Royal Mail, and the Italian Internal Revenue Service.
The U.S. State Department now offers rewards of up to $15 million for providing information about LockBit ransomware gang members and their associates.