Attackers are exploiting a most severity authentication bypass vulnerability to breach unpatched ScreenConnect servers and deploy LockBit ransomware payloads on compromised networks.
The utmost severity CVE-2024-1709 auth bypass flaw has been below energetic exploitation since Tuesday, sooner or later after ConnectWise released security updates and a number of other cybersecurity firms published proof-of-concept exploits.
ConnectWise additionally patched the CVE-2024-1708 high-severity path traversal vulnerability, which may solely be abused by risk actors with excessive privileges.
Each safety bugs impression all ScreenConnect variations, prompting the corporate on Wednesday to remove all license restrictions so prospects with expired licenses can improve to the newest software program model and safe their servers from assaults.
CISAÂ added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog immediately, ordering U.S. federal businesses to safe their servers inside one week by February 29.
CVE-2024-1709 is now widely exploited within the wild, in response to safety risk monitoring platform Shadowserver, with 643 IPs at present concentrating on weak servers.
Shodan at present tracks over 8,659 ScreenConnect servers, with solely 980 operating the ScreenConnect 23.9.8 patched version.
Exploited in LockBit ransomware assaults
​As we speak, Sophos X-Ops revealed that risk actors have been deploying LockBit ransomware on victims’ techniques after gaining entry utilizing exploits concentrating on these two ScreenConnect vulnerabilities.
“Within the final 24 hours, we have noticed a number of LockBit assaults, apparently after exploitation of the latest ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709),” the Sophos’ risk response process power said.
“Two issues of curiosity right here: first, as famous by others, the ScreenConnect vulnerabilities are being actively exploited within the wild. Second, regardless of the regulation enforcement operation in opposition to LockBit, it appears as if some associates are nonetheless up and operating.”
Cybersecurity firm Huntress confirmed their findings and instructed BleepingComputer that “an area authorities, together with techniques doubtless linked to their 911 Techniques” and a “healthcare clinic” have additionally been hit by LockBit ransomware attackers who used CVE-2024-1709 exploits to breach their networks.
“We are able to affirm that the malware being deployed is related to Lockbit,” Huntress stated in an electronic mail.
“We won’t attribute this on to the bigger LockBit group however it’s clear that lockbit has a big attain that spans tooling, varied affiliate teams, and offshoots that haven’t been utterly erased even with the foremost takedown by regulation enforcement.”
LockBit dismantled in Operation Cronos
LockBit ransomware’s infrastructure was seized this week after its darkish net leak websites had been taken down on Monday in a global law enforcement operation codenamed Operation Cronos led by the U.Ok.’s Nationwide Crime Company (NCA).
As a part of this joint operation, Japan’s Nationwide Police Company developed a free LockBit 3.0 Black Ransomware decryptor utilizing over 1,000 decryption keys retrieved from LockBit’s seized servers and launched on the ‘No More Ransom’ portal.
Throughout Operation Cronos, a number of LockBit associates had been arrested in Poland and Ukraine, whereas French and U.S. authorities issued three worldwide arrest warrants and 5 indictments concentrating on different LockBit risk actors. The U.S. Justice Division introduced two of those indictments against Russian suspects Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord).
Legislation enforcement additionally printed extra data on the group’s seized dark web leak site, revealing that LockBit had at the very least 188 associates because it emerged in September 2019.
LockBit has claimed assaults on many large-scale and authorities organizations worldwide during the last 4 years, together with Boeing, the Continental automotive giant, the UK Royal Mail, and the Italian Internal Revenue Service.
The U.S. State Division now offers rewards of up to $15 million for offering details about LockBit ransomware gang members and their associates.
As BleepingComputer reported immediately, LockBit builders had been secretly engaged on a new malware version dubbed LockBit-NG-Dev (which might’ve doubtless turn into LockBit 4.0).
