Black Basta and Bl00dy Ransomware Gangs Target Unpatched ScreenConnect Servers

February 27, 2024

The Black Basta and Bl00dy ransomware gangs have begun to exploit a critical flaw (CVE-2024-1709) in ScreenConnect servers, which allows them to create admin accounts, delete all other users, and take over vulnerable servers. The vulnerability has been actively exploited since security updates and proof-of-concept exploits were released by ConnectWise. ConnectWise also addressed a high-severity path traversal vulnerability (CVE-2024-1708) that can only be exploited by threat actors with high privileges. The company has removed all license restrictions so that customers with expired licenses can protect their servers from ongoing attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog and has instructed U.S. federal agencies to secure their servers by February 29. The vulnerability is now being widely exploited, with numerous IPs targeting servers exposed online. Over 10,000 ScreenConnect servers are currently being tracked, with only 1,559 running the patched ScreenConnect 23.9.8 version.

While analyzing these attacks, cybersecurity firm Trend Micro discovered that the Black Basta and Bl00dy ransomware gangs are exploiting the ScreenConnect flaws to gain initial access and backdoor victims' networks. The Black Basta gang has been observed deploying Cobalt Strike beacons on compromised systems after gaining network access. The Bl00dy ransomware gang has been using payloads built using leaked Conti and LockBit Black builders. Their ransom notes identify them as part of the Bl00dy cybercrime operation.

Other threat actors have used the newly gained access to compromised ScreenConnect servers to deploy various remote management tools, such as Atera and Syncro, or a second ConnectWise instance. Multiple ransomware payloads built using the leaked LockBit ransomware builder have been spotted in attacks exploiting the recently patched ScreenConnect flaws. These include a buhtiRansom payload found on 30 different networks and a second LockBit variant created using the leaked Lockbit builder.

In light of these findings, Trend Micro has emphasized the importance of updating to the latest version of the software and has stressed that immediate patching is a critical security requirement to protect systems from these identified threats.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.