LockBit Ransomware Attacks Exploit ScreenConnect Servers Vulnerability

February 22, 2024

Attackers are exploiting an authentication bypass vulnerability, CVE-2024-1709, in unpatched ScreenConnect servers to launch LockBit ransomware attacks on compromised networks. This severe vulnerability has been actively exploited since a day after ConnectWise released security updates and cybersecurity companies posted proof-of-concept exploits. ConnectWise also addressed another high-severity path traversal vulnerability, CVE-2024-1708, which can only be exploited by threat actors with high privileges. Both these vulnerabilities affect all ScreenConnect versions, leading the company to remove all license restrictions allowing customers with expired licenses to upgrade to the latest software version and protect their servers from attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to secure their servers within a week by February 29. Currently, over 8,659 ScreenConnect servers are being tracked by Shodan, with only 980 running the patched ScreenConnect 23.9.8 version.

Sophos X-Ops disclosed that threat actors have been using these two ScreenConnect vulnerabilities to deploy LockBit ransomware on victims' systems. They stated, "In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)." They also noted that despite the law enforcement operation against LockBit, some affiliates are still operational.

Cybersecurity firm Huntress confirmed these findings, revealing that a local government entity, including systems likely linked to their 911 Systems, and a healthcare clinic have also been targeted by LockBit ransomware attackers exploiting the CVE-2024-1709 vulnerability. "We can confirm that the malware being deployed is associated with Lockbit," stated Huntress.

LockBit ransomware's infrastructure was seized earlier this week as part of a global law enforcement operation, Operation Cronos, led by the U.K.'s National Crime Agency (NCA). During this operation, several LockBit affiliates were arrested in Poland and Ukraine, while French and U.S. authorities issued arrest warrants and indictments against other LockBit threat actors. Despite this, LockBit continues to claim attacks on large-scale and government organizations worldwide. The U.S. State Department is now offering rewards of up to $15 million for information about LockBit ransomware gang members and their associates.

Latest News

• Joomla Addresses XSS Vulnerabilities Potentially Leading to RCE Attacks
• VMware Calls for Removal of Outdated, Vulnerable Authentication Plugin
• Global Law Enforcement Disrupts LockBit Ransomware Gang
• Critical Security Flaw Actively Exploited, Leaving Over 28,500 Exchange Servers at Risk
• SolarWinds Patches Critical RCE Vulnerabilities in Access Rights Manager