Operators continue to carry out attacks, despite the elimination of their infrastructure.
Attackers are actively exploiting the ScreenConnect vulnerability to break into non-updated servers in order to deploy the LockBit ransomware program on compromised networks.
The authentication bypass vulnerability CVE-2024-1709 (CVSS score: 10.0) has been actively exploited since February 20, just one day after ConnectWise released security updates. The path-traversal vulnerability CVE-2024-1708 (CVSS score: 8.4), which leads to Remote Code Execution (RCE), has also been addressed. Attacks can be carried out remotely and do not require user interaction.
Both issues affect all versions of ScreenConnect, which prompted the company to remove all license restrictions, allowing customers with expired licenses to update the software to the latest version and protect their servers from attacks. CISA has added CVE-2024-1709 to its KEV catalog.
The Shadowserver threat monitoring platform previously reported that 643 IP addresses exploit CVE-2024-1709. Shodan tracks more than 8,659 ScreenConnect servers, of which only 980 are running the updated ScreenConnect version 23.9.8.
According to Sophos X-Ops, during attacks, attackers deploy the LockBit ransomware program on victims ' systems, gaining access through exploiting the specified ScreenConnect flaws. Huntress has confirmed attacks on local authorities, emergency services, and a medical clinic using the CVE-2024-1709 vulnerability.
Despite the recent law enforcement operation against LockBit, some of the group's partners continue to operate. Huntress specialists said that they cannot attribute the attacks directly to the LockBit group itself, but it is clear that LockBit has a large reach, including tools, various child groups and branches that were not completely eliminated even after the actions of the special services.
As part of the international operation Kronos, which began on Monday, February 19, at least three accomplices of the well-known extortion gang LockBit were arrested in Poland and Ukraine. These arrests followed the dismantling of the LockBit dark web infrastructure used by the group to threaten its victims and publish stolen data in the event of non-payment of ransom.
Attackers are actively exploiting the ScreenConnect vulnerability to break into non-updated servers in order to deploy the LockBit ransomware program on compromised networks.
The authentication bypass vulnerability CVE-2024-1709 (CVSS score: 10.0) has been actively exploited since February 20, just one day after ConnectWise released security updates. The path-traversal vulnerability CVE-2024-1708 (CVSS score: 8.4), which leads to Remote Code Execution (RCE), has also been addressed. Attacks can be carried out remotely and do not require user interaction.
Both issues affect all versions of ScreenConnect, which prompted the company to remove all license restrictions, allowing customers with expired licenses to update the software to the latest version and protect their servers from attacks. CISA has added CVE-2024-1709 to its KEV catalog.
The Shadowserver threat monitoring platform previously reported that 643 IP addresses exploit CVE-2024-1709. Shodan tracks more than 8,659 ScreenConnect servers, of which only 980 are running the updated ScreenConnect version 23.9.8.
According to Sophos X-Ops, during attacks, attackers deploy the LockBit ransomware program on victims ' systems, gaining access through exploiting the specified ScreenConnect flaws. Huntress has confirmed attacks on local authorities, emergency services, and a medical clinic using the CVE-2024-1709 vulnerability.
Despite the recent law enforcement operation against LockBit, some of the group's partners continue to operate. Huntress specialists said that they cannot attribute the attacks directly to the LockBit group itself, but it is clear that LockBit has a large reach, including tools, various child groups and branches that were not completely eliminated even after the actions of the special services.
As part of the international operation Kronos, which began on Monday, February 19, at least three accomplices of the well-known extortion gang LockBit were arrested in Poland and Ukraine. These arrests followed the dismantling of the LockBit dark web infrastructure used by the group to threaten its victims and publish stolen data in the event of non-payment of ransom.
