Security experts are warning that a pair of high-risk flaws in a popular remote access tool are being exploited by hackers to develop LockBit ransomware – days after authorities announced they had busted a notorious Russian-linked cybercrime gang.
Researchers at cybersecurity firms Huntress and Sophos told TechCrunch on Thursday that both had observed LockBit attacks after exploiting a set of vulnerabilities affecting ConnectWise ScreenConnect, a widely used remote access tool used by IT technicians to provide remote technical support on client systems.
Defects consist of two errors. CVE-2024-1709 is an authentication bypass vulnerability considered “annoyingly easy” to exploit that has been in active exploitation since Tuesday, shortly after ConnectWise released security updates and urged organizations to patch. The other bug, CVE-2024-1708, is a path traversal vulnerability that can be used in conjunction with the other bug to remotely install malicious code on an affected system.
In a post on Mastodon On Thursday, Sophos said it had observed “several LockBit attacks” exploiting ConnectWise vulnerabilities.
“Two things of interest here: first, as noted by others, ScreenConnect vulnerabilities are actively exploited in the wild. Second, despite the enforcement operation against LockBit, it appears that some affiliates are still operating,” Sophos said, referring to the enforcement operation earlier this week that claimed to have taken down LockBit’s infrastructure.
Christopher Budd, director of threat research at Sophos X-Ops, told TechCrunch via email that the company’s observations show that, “ScreenConnect was the start of the observed execution chain, and the version of ScreenConnect used was vulnerable.”
Max Rogers, senior director of threat operations at Huntress, told TechCrunch that the cybersecurity firm has also seen the development of LockBit ransomware in attacks that exploit the ScreenConnect vulnerability.
Rogers said Huntress has seen LockBit ransomware deployed on customer systems spanning a range of industries, but declined to name the customers affected.
The LockBit ransomware infrastructure was seized earlier this week as part of a sweeping international law enforcement operation led by the UK’s National Crime Agency. The operation took down LockBit’s public websites, including the dark leak site, which the gang used to post data stolen from victims. The leak site now hosts information leaked by the UK-led firm that reveals LockBit’s features and functionality.
The operation, known as “Operation Cronos,” also saw the takedown of 34 servers across Europe, the United Kingdom, and the United States, the seizure of more than 200 cryptocurrency wallets, and the arrest of two alleged LockBit members in Poland and Ukraine.
“We can’t perform [the ransomware attacks abusing the ConnectWise flaws] directly to the larger LockBit group, but it’s clear that LockBit has a large reach that spans tools, various affiliate groups, and offshoots that haven’t been completely wiped out even with the big takedown by law enforcement,” Rogers told TechCrunch via e-mail.
When asked if the growth of ransomware was something ConnectWise was also noticing internally, ConnectWise’s chief information security officer Patrick Beggs told TechCrunch that “that’s not something we’re seeing today.”
It remains unknown how many ConnectWise ScreenConnect users have been affected by this vulnerability, and ConnectWise declined to provide numbers. The company’s website claims that the organization provides remote access technology to more than one million small and medium-sized businesses.
According to the Shadowserver Foundation, a nonprofit organization that collects and analyzes data on malicious Internet activity, the ScreenConnect flaws are “widely exploited.” The nonprofit organization said Thursday in a post on Xformerly of Twitter, that so far it had observed 643 IP addresses exploiting the vulnerabilities — adding that more than 8,200 servers remain vulnerable.