A vital ConnectWise ScreenConnect vulnerability that permits authentication bypass was utilized in a Play ransomware breach and an tried provide chain assault involving LockBit malware, researchers say.
One of many assaults focused a managed service supplier (MSP) for a possible wider provide chain breach towards its prospects, the At-Bay Cyber Analysis Crew revealed in an article Thursday. A nonprofit group was amongst a gaggle of consumers that have been focused by cybercriminals deploying LockBit ransomware.
Nevertheless, the assault was thwarted by the MSP’s safety operations scenter (SOC) earlier than recordsdata have been encrypted or prospects have been additional impacted, At-Bay mentioned.
“On condition that the encryption executable was discovered on that specific group’s system, it’s secure to say the risk actors have been shut,” a consultant from At-Bay’s Cyber Analysis group instructed SC Media in an e-mail. “With out discover from the MSP, the group most likely wouldn’t have realized something was amiss until the methods have been encrypted or the risk actors themselves made contact.”
In one other case, a finance firm was struck by Play ransomware after discovering an intrusion whereas making an attempt to use the ScreenConnect patch. Regardless of instant mitigation efforts, the risk actors efficiently encrypted the corporate’s total storage space community (SAN) and made a ransom demand.
Each assaults described within the At-Bay article occurred inside 72 hours of ConnectWise disclosing and releasing patches for 2 ScreenConnect vulnerabilities on Feb. 19. Essentially the most extreme vulnerability is a vital authentication bypass flaw tracked as CVE-2024-1709, which has a most CVSS rating of 10.
“Analogous to possessing a grasp key, this vulnerability permits nefarious actors to generate their very own administrative consumer on the platform, granting them full management,” the At-Bay Cyber Analysis Crew wrote within the article.
The opposite bug, tracked as CVE-2024-1708, can allow entry to recordsdata exterior of restricted subdirectories, though Huntress researchers famous the executive entry offered by CVE-2024-1709 allows malicious code to be executed wherever on the system.
“The sheer prevalence of this software program and the entry afforded by this vulnerability indicators we’re on the cusp of a ransomware free-for-all,” Huntress CEO Kyle Hanslovan instructed SC Media final week.
Greater than 3,800 ScreenConnect situations nonetheless susceptible amidst ransomware assaults
LockBit ransomware exercise has been seen in assaults concentrating on the ConnectWise ScreenConnect vulnerabilities since Feb. 21, as reported by Sophos X-Ops researchers and corroborated by Huntress and At-Bay.
Regardless of a significant takedown of LockBit infrastructure by worldwide authorities early final week, the leak of the LockBit 3.0 builder in September 2022 means different risk actors are possible utilizing this variant in most of the assaults noticed within the days for the reason that bugs have been disclosed.
At-Bay confirmed that the LockBit 3.0 executable (LB3.exe) was deployed within the assault towards an MSP and its prospects however eliminated utilizing endpoint detection and response (EDR) software program earlier than it could possibly be launched.
Along with LockBit and Play, Black Basta and Conti ransomware are additionally being utilized in campaigns concentrating on the ConnectWise CVEs, Pattern Micro reported on Tuesday. The latter pressure comes from one other leaked builder being utilized by a ransomware group often called Bl00dy, which can also be utilizing LockBit 3.0 in its ScreenConnect assaults.
Black Basta risk actors have been seen deploying Cobalt Strike beacons, executing ransomware and exfiltrating knowledge in environments operating susceptible variations of ScreenConnect.
“Visitors related to this vulnerability set initially spiked very excessive, then leveled off and has remained considerably fixed,” Pattern Micro’s Vice President for Cybersecurity Greg Younger instructed SC Media in an e-mail.
Younger added that one commentary late this week confirmed that the variety of profitable ScreenConnect exploits was “within the double digits of servers.”
Amidst this spate of assaults, greater than 3,800 ScreenConnect situations tracked by nonprofit cybersecurity group Shadowserver remained susceptible to CVE-2024-1709 as of Feb. 29. Notably, that is lower than half the quantity Shadowserver reported on Feb. 21, when greater than 8,200 susceptible situations have been detected.
At-Bay’s Cyber Analysis group instructed SC Media that ransomware risk actors can leap on newly disclosed vulnerabilities inside “a matter of hours.”
“Organizations like to check software program patches with organizations’ IT stack to ensure the patches don’t break every other functionalities. Even one of the best corporations can take days with that course of. Cybercriminals transfer a lot faster,” an At-Bay consultant mentioned.
On Feb. 21, Shadowserver mentioned its sensors detected practically 650 IPs concentrating on CVE-2024-1709.
The ScreenConnect flaws have been additionally implicated in a cyberattack towards Change Healthcare by First Well being Advisory Chief Safety Officer Toby Gouker in feedback to SC Media, and by RedSense researchers who studied “exfiltration-related telemetry for the timeline related to the assault,” in keeping with RedSense Co-Founder Yelisey Bohuslavskiy.
ConnectWise has mentioned Change Healthcare doesn’t seem like a direct buyer and that it “can not verify that there’s a connection” between the assault and the ScreenConnect vulnerability.
Ransomware group ALPHV/BlackCat claimed duty for the Change Healthcare assault on Wednesday and denied utilizing the ScreenConnect flaws. United Well being Group, mother or father firm of Change Healthcare operator Optum, has since confirmed ALPHV/BlackCat was behind the assault.