LockBit Ransomware Exploits ScreenConnect RCE Flaw: A Rising Threat

February 22, 2024

Sophos has reported the detection of ransomware payloads that were constructed using the LockBit ransomware builder, which was leaked online in September 2022. The payloads were identified as a buhtiRansom LockBit variant and a second payload created using the leaked LockBit builder. These were dropped on 30 different customer networks by different threat actors. Sophos stated, "On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool."

ConnectWise recently released security updates to patch a maximum severity authentication bypass vulnerability (CVE-2024-1709) in ScreenConnect servers, which has been under active exploitation. Another high-severity path traversal vulnerability (CVE-2024-1708) was also patched, but this can only be abused by threat actors with high privileges. Both vulnerabilities affect all ScreenConnect versions, leading the company to remove all license restrictions to allow customers with expired licenses to upgrade their software and secure their servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog and has ordered federal agencies to secure their servers within a week. The Shadowserver threat monitoring platform reports that 643 IPs are currently targeting vulnerable servers. Shodan tracks over 8,659 ScreenConnect servers, with only 980 running the patched version (ScreenConnect 23.9.8).

Sophos X-Ops has revealed that threat actors are exploiting the ScreenConnect vulnerabilities to deploy LockBit ransomware on victims' systems. A cybersecurity company, Huntress, confirmed this finding, reporting that a local government's systems, including those likely linked to their 911 Systems, and a healthcare clinic were hit by LockBit ransomware attackers exploiting CVE-2024-1709 to breach their networks.

LockBit ransomware's infrastructure was seized in a global law enforcement operation, Operation Cronos, led by the UK's National Crime Agency (NCA). As part of this operation, the National Police Agency of Japan developed a free LockBit 3.0 Black Ransomware decryptor using over 1,000 decryption keys retrieved from LockBit's seized servers and released on the 'No More Ransom' portal. Several LockBit affiliates were arrested in Poland and Ukraine, while French and US authorities issued three international arrest warrants and five indictments targeting other LockBit threat actors. Two of these indictments were brought by the US Justice Department against Russian suspects Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord).

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.