HomeSecurity OperationsNorth Korean hacking group exploits ScreenConnect vulnerabilities to deploy hazardous malware

North Korean hacking group exploits ScreenConnect vulnerabilities to deploy hazardous malware

Published on

spot_img

North Korean state-sponsored threat actors have been identified using the recently uncovered vulnerabilities in ScreenConnect to pilfer sensitive data from their targets. Kroll’s latest report shared with TechRadar Pro has revealed that a group known as Kimsuky, also known as Thallium, exploited two flaws in ConnectWise’s solution to deploy ToddleShark, an upgraded version of their previously used backdoors, BabyShark and ReconShark.

Previously, BabyShark had been detected on endpoints belonging to government organizations, universities, and research institutions in the Western world. Although the specific targets in this recent incident remain undisclosed, it is presumed that they belong to similar sectors.

The data acquired by Kimsuky through this method includes a range of sensitive information such as hostnames, system configurations, user accounts, active user sessions, network setups, security software data, current network connections, running processes, and a list of installed software. Such data could potentially enable the threat actor to orchestrate more damaging cyberattacks, a tactic commonly associated with Kimsuky’s cyber-espionage activities against government bodies.

The deployment of ToddleShark by Kimsuky was made possible by leveraging two vulnerabilities in ScreenConnect: CVE-2024-1709 (an authentication bypass flaw) and CVE-2024-1708 (a path traversal vulnerability). Although ConnectWise identified these vulnerabilities towards the end of last month and promptly disclosed them, they were soon exploited on a large scale by threat actors worldwide. These unpatched endpoints were targeted by malicious actors deploying various malware strains, including ransomware. Reports also suggest that the notorious LockBit group utilized the flaws to distribute its encryption software.

A spokesperson for ConnectWise mentioned that the majority (80%) of their clients use cloud-based environments, and these were patched within just two days of the vulnerability disclosure. While it is challenging to ascertain the exact number of businesses impacted by these flaws, media outlets have reported that over one million small and medium-sized enterprises, managing more than 13 million devices, are customers of ConnectWise.

ScreenConnect, a widely used remote access platform, is purportedly utilized by over one million companies globally. This incident underscores the critical importance of promptly addressing and mitigating software vulnerabilities to prevent malicious exploitation and safeguard sensitive data and systems.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish