North Korean state-sponsored threat actors have been identified using the recently uncovered vulnerabilities in ScreenConnect to pilfer sensitive data from their targets. Kroll’s latest report shared with TechRadar Pro has revealed that a group known as Kimsuky, also known as Thallium, exploited two flaws in ConnectWise’s solution to deploy ToddleShark, an upgraded version of their previously used backdoors, BabyShark and ReconShark.
Previously, BabyShark had been detected on endpoints belonging to government organizations, universities, and research institutions in the Western world. Although the specific targets in this recent incident remain undisclosed, it is presumed that they belong to similar sectors.
The data acquired by Kimsuky through this method includes a range of sensitive information such as hostnames, system configurations, user accounts, active user sessions, network setups, security software data, current network connections, running processes, and a list of installed software. Such data could potentially enable the threat actor to orchestrate more damaging cyberattacks, a tactic commonly associated with Kimsuky’s cyber-espionage activities against government bodies.
The deployment of ToddleShark by Kimsuky was made possible by leveraging two vulnerabilities in ScreenConnect: CVE-2024-1709 (an authentication bypass flaw) and CVE-2024-1708 (a path traversal vulnerability). Although ConnectWise identified these vulnerabilities towards the end of last month and promptly disclosed them, they were soon exploited on a large scale by threat actors worldwide. These unpatched endpoints were targeted by malicious actors deploying various malware strains, including ransomware. Reports also suggest that the notorious LockBit group utilized the flaws to distribute its encryption software.
A spokesperson for ConnectWise mentioned that the majority (80%) of their clients use cloud-based environments, and these were patched within just two days of the vulnerability disclosure. While it is challenging to ascertain the exact number of businesses impacted by these flaws, media outlets have reported that over one million small and medium-sized enterprises, managing more than 13 million devices, are customers of ConnectWise.
ScreenConnect, a widely used remote access platform, is purportedly utilized by over one million companies globally. This incident underscores the critical importance of promptly addressing and mitigating software vulnerabilities to prevent malicious exploitation and safeguard sensitive data and systems.