Black Basta and Bl00dy Ransomware Gangs Target Unpatched ScreenConnect Servers

February 27, 2024

The Black Basta and Bl00dy ransomware gangs have begun to exploit a critical flaw (CVE-2024-1709) in ScreenConnect servers, which allows them to create admin accounts, delete all other users, and take over vulnerable servers. The vulnerability has been actively exploited since security updates and proof-of-concept exploits were released by ConnectWise. ConnectWise also addressed a high-severity path traversal vulnerability (CVE-2024-1708) that can only be exploited by threat actors with high privileges. The company has removed all license restrictions so that customers with expired licenses can protect their servers from ongoing attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog and has instructed U.S. federal agencies to secure their servers by February 29. The vulnerability is now being widely exploited, with numerous IPs targeting servers exposed online. Over 10,000 ScreenConnect servers are currently being tracked, with only 1,559 running the patched ScreenConnect 23.9.8 version.

While analyzing these attacks, cybersecurity firm Trend Micro discovered that the Black Basta and Bl00dy ransomware gangs are exploiting the ScreenConnect flaws to gain initial access and backdoor victims' networks. The Black Basta gang has been observed deploying Cobalt Strike beacons on compromised systems after gaining network access. The Bl00dy ransomware gang has been using payloads built using leaked Conti and LockBit Black builders. Their ransom notes identify them as part of the Bl00dy cybercrime operation.

Other threat actors have used the newly gained access to compromised ScreenConnect servers to deploy various remote management tools, such as Atera and Syncro, or a second ConnectWise instance. Multiple ransomware payloads built using the leaked LockBit ransomware builder have been spotted in attacks exploiting the recently patched ScreenConnect flaws. These include a buhtiRansom payload found on 30 different networks and a second LockBit variant created using the leaked Lockbit builder.

In light of these findings, Trend Micro has emphasized the importance of updating to the latest version of the software and has stressed that immediate patching is a critical security requirement to protect systems from these identified threats.

Related News

• CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability
• LockBit Ransomware Attacks Exploit ScreenConnect Servers Vulnerability
• LockBit Ransomware Exploits ScreenConnect RCE Flaw: A Rising Threat
• ScreenConnect Under Attack Following Disclosure of Critical Bugs

Latest News

• LiteSpeed Cache Plugin XSS Vulnerability Threatens Millions of WordPress Sites
• Hugging Face Vulnerability Could Lead to AI Model Supply Chain Attacks
• LockBit Ransomware Resurfaces Post Police Disruption; Threatens Greater Focus on Government Sector
• CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability
• Apple Shortcuts Zero-Click Vulnerability Enables Covert Data Theft