Trend Micro research has uncovered a concerning trend in the realm of cybersecurity, with new ransomware gangs taking advantage of vulnerabilities in ConnectWise ScreenConnect to launch attacks on enterprises. The latest findings reveal that ransomware groups such as Black Basta and Bl00dy are actively exploiting these vulnerabilities, posing a serious threat to organizations that rely on ConnectWise software.
The vulnerabilities in question, identified as CVE-2024-1709 and CVE-2024-1708, were first disclosed on February 19, prompting ConnectWise to issue a security advisory and urge users to patch their systems immediately. These vulnerabilities, which involve path traversal and authentication bypass flaws, have already been exploited by threat actors to compromise accounts and deliver ransomware to unsuspecting victims.
ConnectWise’s recent update confirmed that exploitation of these vulnerabilities has led to compromised accounts, with Sophos X-Ops researchers linking the activity to the LockBit ransomware gang. LockBit, a notorious group that was recently targeted in a law enforcement operation, has been one of the most active ransomware groups in the cybercrime landscape.
Furthermore, Trend Micro researchers have identified additional threat groups exploiting the ScreenConnect vulnerabilities, including Black Basta and Bl00dy. These groups have been using the vulnerabilities to gain unauthorized access to ConnectWise servers, perform reconnaissance, escalate privileges, and deploy malicious payloads such as PowerShell and Cobalt Strike.
The exploitation of these vulnerabilities has allowed threat actors to gain control over affected systems, enabling them to deploy ransomware and exfiltrate sensitive data from victim networks. In some instances, the Black Basta gang has been observed deploying Cobalt Strike beacons and targeting victims’ Active Directory to further infiltrate their environments.
The Bl00dy ransomware group, which emerged in 2022, has also been leveraging the ScreenConnect flaws to encrypt files on victims’ machines and demand ransom payments. In addition to ransomware, threat actors have been observed dropping the XWorm malware to gain remote access capabilities and exfiltrate data from compromised systems.
Beyond ransomware attacks, threat actors have been exploiting the ScreenConnect vulnerabilities to deploy other remote management tools and execute malicious scripts. This multifaceted approach emphasizes the severity of the situation and the need for organizations to take immediate action to patch their systems and protect themselves from further exploitation.
In light of these developments, Trend Micro researchers have stressed the importance of immediate patching as a critical security measure to defend against these identified threats. They have also provided customers with a knowledge base article containing post-exploitation activity and mitigation recommendations to help organizations safeguard their systems.
While the exact number of victims is unclear at this time, the widespread abuse of these vulnerabilities highlights the urgent need for organizations to secure their systems and prevent future attacks. ConnectWise has moved quickly to address the vulnerabilities in their software and has urged customers to apply the necessary patches to protect their systems from potential exploitation.
As the cybersecurity landscape continues to evolve, it is essential for organizations to remain vigilant and proactive in their efforts to defend against ransomware attacks and other malicious threats. By staying informed and taking timely action to secure their systems, enterprises can mitigate the risks posed by new ransomware gangs and protect their data and operations from potential harm.