Security experts have issued a warning regarding the exploitation of vulnerabilities in ConnectWise ScreenConnect, a widely used remote access tool, by hackers to deploy LockBit ransomware. This comes in the wake of recent law enforcement efforts to disrupt the activities of the Russia-linked cybercrime gang.
Key Takeaway
Hackers are actively exploiting vulnerabilities in ConnectWise ScreenConnect to deploy LockBit ransomware, posing a significant threat to organizations using this remote access tool.
High-Risk Flaws Exploited
Researchers at cybersecurity companies Huntress and Sophos have observed LockBit attacks following the exploitation of two high-risk vulnerabilities impacting ConnectWise ScreenConnect. The vulnerabilities, CVE-2024-1709 and CVE-2024-1708, consist of an authentication bypass vulnerability and a path traversal vulnerability, respectively.
LockBit Attacks
Sophos reported that it had observed “several LockBit attacks” following the exploitation of the ConnectWise vulnerabilities. Despite recent law enforcement operations against LockBit, it appears that some affiliates are still active and deploying the ransomware.
Observations by Security Experts
Christopher Budd, director of threat research at Sophos X-Ops, highlighted that the vulnerable version of ScreenConnect was the starting point of the observed execution chain. Max Rogers, senior director of threat operations at Huntress, confirmed the observation of LockBit ransomware being deployed in attacks exploiting the ScreenConnect vulnerability.
Impact and Response
ConnectWise has not confirmed the extent of the impact on its users, but the Shadowserver Foundation reported that the ScreenConnect flaws are being “widely exploited,” with over 8,200 servers remaining vulnerable.