Even days after police said they had stopped the renowned Russia-linked cybercrime gang, security experts warn that hackers are exploiting two high-risk holes in a popular remote access tool to launch LockBit ransomware.
On Thursday, Huntress and Sophos researchers told Eltrys that LockBit attacks had been observed after ConnectWise ScreenConnect vulnerabilities were exploited. IT technicians use ConnectWise ScreenConnect to provide remote technical support on customer systems.
The defects are two bugs. The “embarrassingly easy” authentication bypass vulnerability CVE-2024-1709 has been exploited since Tuesday, when ConnectWise provided security patches and suggested companies fix it. The path traversal vulnerability CVE-2024-1708 may be exploited alongside the other flaw to remotely install malicious malware on an affected machine.
Sophos reported “several LockBit attacks” after ConnectWise vulnerabilities were exploited on Mastodon on Thursday.
The ScreenConnect vulnerabilities are being extensively exploited in the wild, as others have highlighted. Sophos noted that certain affiliates are still operating despite the law enforcement operation that claimed to shut down LockBit’s infrastructure earlier this week.
Sophos X-Ops director of threat research Christopher Budd emailed Eltrys that “ScreenConnect was the start of the observed execution chain, and the version of ScreenConnect in use was vulnerable.”
Huntress senior director of threat operations Max Rogers told Eltrys that ScreenConnect-exploiting assaults had also used LockBit ransomware.
Rogers said Huntress has seen LockBit ransomware on client systems in many businesses, but he could not identify them.
The U.K.’s National Crime Agency launched a massive multinational law enforcement effort to capture LockBit ransomware’s infrastructure this week. The operation took down LockBit’s public websites, including its dark web leak site, where the group published victim data. The leak site now contains U.K.-led operation information on LockBit’s capabilities and activities.
In “Operation Cronos,” 34 servers in Europe, the U.K., and the U.S. were taken down, more than 200 bitcoin wallets were seized, and two accused LockBit members in Poland and Ukraine were arrested.
Rogers emailed Eltrys, “We can’t attribute [the ransomware attacks abusing the ConnectWise flaws] directly to the larger LockBit group, but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown.
ConnectWise chief information security officer Patrick Beggs told Eltrys that “this is not something we are seeing as of today.”
How many ScreenConnect users this issue affected is a secret, according to ConnectWise. The company’s website says it serves over a million small to medium-sized enterprises with remote access.
According to the Shadowserver Foundation, a charity that tracks criminal internet activities, ScreenConnect issues are “widely exploited.” In a Thursday post on X, previously Twitter, the organization claimed it has seen 643 IP addresses abuse the flaws and that over 8,200 systems remain exposed.
Security researchers say hackers are using ConnectWise weaknesses to spread LockBit ransomware.
