The cybersecurity community is raising alarms over the recent exploitation of high-risk vulnerabilities within a commonly used remote maintenance software, resulting in the deployment of LockBit ransomware. The exploitation occurs shortly after a successful crackdown on the cybercrime syndicate associated with the ransomware was made public.
Concerns heightened as cybersecurity firms Huntress and Sophos reported to TechCrunch that the exploitation of vulnerabilities in ConnectWise ScreenConnect was being leveraged to launch LockBit ransomware attacks. ConnectWise ScreenConnect is prevalently employed by IT professionals to manage and support client systems remotely.
The security lapse involves two significant flaws. The first, CVE-2024-1709, is an authentication bypass vulnerability, which has been actively targeted since it was disclosed following a security fix issued by ConnectWise. This flaw is noted for its ease of exploitation. CVE-2024-1708, the second vulnerability, enables attackers to traverse directories on the system, which can be combined with the former flaw to insert pernicious code.
Sophos observed several instances where these specific vulnerabilities were taken advantage of to execute LockBit attacks, as stated on Mastodon.
These incidents took place notwithstanding a major police operation purported to have disrupted the LockBit operation. Sophos pointed out that it appears some LockBit affiliates are still operational, defying the law enforcement efforts.
Sophos’s threat research head, Christopher Budd, emphasized through an email to TechCrunch that ScreenConnect was identified as the initial step of the attack process, particularly versions that remained unpatched and vulnerable.
Huntress’s Max Rogers shared that they too had noticed the exploitation of ScreenConnect vulnerabilities leading to LockBit ransomware being deployed on their clients’ systems across several industries, though specifics on the clients remained undisclosed.
It was earlier in the week that LockBit’s network was compromised. This was part of “Operation Cronos,” an extensive international law enforcement initiative led by the U.K.’s National Crime Agency. The operation succeeded in bringing down online portals associated with LockBit and capturing two alleged accomplices.
According to Rogers, the recent ransomware activities exploiting the ConnectWise security issues can’t be explicitly linked to the main LockBit group but indicate the group’s extensive influence and presence.
Patrick Beggs, chief information security officer at ConnectWise, informed TechCrunch that they had not observed these ransomware deployments internally.
The total of ConnectWise users affected by this vulnerability remains uncertain. Shadowserver Foundation noted that these vulnerabilities are experiencing wide exploitation, with numerous servers still at risk.
Frequently Asked Questions (FAQ)
- What is ConnectWise ScreenConnect?
- ConnectWise ScreenConnect is a remote support tool used by IT professionals to provide technical assistance on client systems.
- What are CVE-2024-1709 and CVE-2024-1708?
- CVE-2024-1709 is an authentication bypass vulnerability, while CVE-2024-1708 is a path traversal vulnerability. Together they can be exploited to remotely install malicious software.
- Has the LockBit ransomware gang been taken down by law enforcement?
- Partial action against LockBit happened through “Operation Cronos,” which dismantled part of their infrastructure and led to arrests, but some affiliates are still active.
- Is the ConnectWise vulnerability widespread?
- According to the Shadowserver Foundation, the vulnerability is widely exploited, and many servers remain unprotected.
Conclusion
The exploitation of the ConnectWise ScreenConnect vulnerabilities highlights the persistent threat posed by determined cybercriminals, even after substantial law enforcement efforts to disrupt their operations. It emphasizes the importance of regular system updates and rigorous cybersecurity measures for businesses to safeguard themselves against ransomware and other cyber threats. As LockBit affiliates continue to operate, vigilance and improved security protocols are imperative to protect IT infrastructures.