Hackers are exploiting ConnectWise flaws to deploy LockBit ransomware, security experts warn
Security experts are warning that a pair of high-risk flaws in a popular remote access tool are being exploited by hackers to deploy LockBit ransomware — days after authorities announced that they had disrupted the notorious Russia-linked cybercrime gang.
Researchers at cybersecurity companies Huntress and Sophos told TechCrunch on Thursday that both had observed LockBit attacks following the exploitation of a set of vulnerabilities impacting ConnectWise ScreenConnect, a widely used remote access tool used by IT technicians to provide remote technical support on customer systems.
The flaws consist of two bugs. CVE-2024-1709 is an authentication bypass vulnerability deemed “embarrassingly easy” to exploit, which has been under active exploitation since Tuesday, soon after ConnectWise released security updates and urged organizations to patch. The other bug, CVE-2024-1708, is a path traversal vulnerability that can be used in conjunction with the other bug to remotely plant malicious code on an affected system.
In a post on Mastodon on Thursday, Sophos said that it had observed “several LockBit attacks” following exploitation of the ConnectWise vulnerabilities.
“Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running,” Sophos said, referring to the law enforcement operation earlier this week that claimed to take down LockBit’s infrastructure.
Christopher Budd, director of threat research at Sophos X-Ops, told TechCrunch by email that the company’s observations show that, “ScreenConnect was the start of the observed execution chain, and the version of ScreenConnect in use was vulnerable.”
Max Rogers, senior director of threat operations at Huntress, told TechCrunch that the cybersecurity company has also observed LockBit ransomware being deployed in attacks exploiting the ScreenConnect vulnerability.
Rogers said that Huntress has seen LockBit ransomware deployed on customer systems spanning a range of industries, but declined to name the customers affected.
LockBit ransomware’s infrastructure was seized earlier this week as part of a sweeping international law enforcement operation led by the U.K.’s National Crime Agency. The operation downed LockBit’s public-facing websites, including its dark web leak site, which the gang used to publish stolen data from victims. The leak site now hosts information uncovered by the U.K.-led operation exposing LockBit’s capabilities and operations.
The action, known as “Operation Cronos,” also saw the takedown of 34 servers across Europe, the U.K. and the United States, the seizure of more than 200 cryptocurrency wallets, and the arrests of two alleged LockBit members in Poland and Ukraine.
“We can’t attribute [the ransomware attacks abusing the ConnectWise flaws] directly to the larger LockBit group, but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement,” Rogers told TechCrunch via email.
When asked whether the deployment of ransomware was something that ConnectWise was also observing internally, ConnectWise chief information security officer Patrick Beggs told TechCrunch that “this is not something we are seeing as of today.”
It remains unknown how many ConnectWise ScreenConnect users have been impacted by this vulnerability, and ConnectWise declined to provide numbers. The company’s website claims that the organization provides its remote access technology to more than a million small to medium-sized businesses.
According to the Shadowserver Foundation, a nonprofit that gathers and analyzes data on malicious internet activity, the ScreenConnect flaws are being “widely exploited.” The nonprofit said Thursday in a post on X, formerly Twitter, that it had so far observed 643 IP addresses exploiting the vulnerabilities — adding that more than 8,200 servers remain vulnerable.