Cybercriminals are taking advantage of two serious vulnerabilities in the remote access software ConnectWise ScreenConnect to deploy the LockBit ransomware, indicating that the eponymous hacker group’s resources are still operational, to some extent.
Cybersecurity experts within the companies ‘Huntress’ and ‘Sophos’ have recently reported spotting LockBit attacks executed through vulnerabilities in the popular remote access software, ConnectWise ScreenConnect. The attackers are exploiting two vulnerabilities. The bug, labeled CVE-2024-1709, allows for authentication bypass and is considered unusually easy to exploit. Just last Tuesday, it was heavily exploited following the release of a software update by ConnectWise that patched the flaw and urged customers to install it. A second bug, labeled CVE-2024-1708, allows for the remote delivery of malicious code into a vulnerable system.
Experts underscore two main points. Firstly, ScreenConnect’s vulnerabilities are being actively exploited by cybercriminals. Secondly, despite law enforcement agencies from several countries launching operations to take down them down, some of LockBit’s resources continue to operate. Law enforcement from various countries reported a large-scale operation earlier this week, which led to the shutting down of 34 servers in Europe, the UK, and the US, confiscation of more than 200 cryptocurrency wallets and the arrest of two alleged LockBit members in Poland and Ukraine.
Experts who detected this new wave of attacks say it’s difficult to directly attribute them to LockBit as the group has a broad reach and extensive partner network. It’s impossible to completely dismantle such a wide-spread and well-established network quickly, even within the scope of a substantial international operation. ConnectWise reportedly stated that there isn’t a mass deployment of the ransomware through their software currently. Yet, according to the non-profit organization Shadowserver Foundation, which tracks malicious internet activity, the software’s vulnerabilities continue to be exploited. Just one day ago, threats were emerging from 643 IP addresses, with more than 8200 servers remaining vulnerable.