28 February 2024

Multiple threat actors exploiting recent ConnectWise flaws


Multiple threat actors exploiting recent ConnectWise flaws

The BlackBasta and Bl00dy ransomware gangs have joined the list of threat actors that are exploiting the recently patched security vulnerabilities in ConnectWise SmartConnect remote access tool.

One of the flaws (CVE-2024-1709) an authentication bypass issue, which can allow a remote non-authenticated attacker can bypass the authentication process and gain full access to the system. The vulnerabilities affect ScreenConnect 23.9.7 and prior. The second flaw (CVE-2024-1708) is a path traversal issue that can be used by a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request.

Previously, cybersecurity firm Sophos reported that it observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708, CVE-2024-1709). The team said they have also seen the ScreenConnect vulnerability being abused to deploy AsyncRAT, infostealing malware, and SimpleHelp remote access client. It appears that despite LockBit’s takedown (full coverage on the topic below), some affiliates are still active and conducting attacks.

According to a new Trend Micro’s report, multiple threat actors are exploiting flaws in ConnectWise ScreenConnect, ranging from ransomware deployment to information stealing and data exfiltration attacks.

The BlackBasta ransomware gang was seen performing reconnaissance, discovery, and privilege escalation, along with deploying Cobalt Strike payloads.

Besides Black Basta, other threat actors were detected utilizing Cobalt Strike payloads on compromised servers, while also attempting to deactivate the real-time monitoring features of Windows Defender.

The Bl00dy ransomware group exploited vulnerabilities in ConnectWise ScreenConnect to deploy leaked builders from Conti and LockBit. Despite this, ransom notes from both incidents attributed the attacks to the Bl00dy group.

In separate incidents, Trend Micro observed threat actors leveraging ScreenConnect vulnerabilities to distribute the XWorm malware that implements remote access capabilities, as well as the ability to spread across networks, exfiltrate sensitive data, and download additional malware.

The researchers said they also observed attacks where threat actors deployed various remote access tools, such as Atera and Syncro, and another instance of ConnectWise.

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024