Cybercriminal groups actively exploiting ‘catastrophic’ ScreenConnect bug

A security vulnerability in a commercially available remote access tool is being exploited by ransomware criminals just days after first being disclosed.

The specific vulnerability, affecting some versions of ConnectWise’s ScreenConnect product, has been given the maximum CVSS score of 10, indicating that it poses a critical threat to organizations that haven’t patched their software.

It was described as a “catastrophe” by cybersecurity company Huntress, which warned that it was “trivial and embarrassingly easy” for hackers to exploit the bug, which would allow them to remotely execute code on the victim’s network. The vulnerability is being tracked as CVE-2024-1709.

ScreenConnect is a popular enterprise tool and is widely used by managed service providers (MSPs), which the British government has described as “an attractive and high value target for malicious threat actors” as MSPs “can be used as staging points through which threat actors can compromise the clients of those managed services.”

Financially motivated ransomware attacks have impacted MSPs such as Kaseya in the United States and the NHS supplier Advanced in Britain, with the latter severely impacting patient care according to BBC News.

In a series of posts on social media on Thursday, cybersecurity company Sophos announced it had observed several ransomware attacks exploiting the vulnerability within the last 24 hours.

Sophos said “attacks against both servers and client machines are currently underway” and warned that applying a patch after being compromised “will not remove any malware or webshells attackers manage to deploy prior to patching” and that “any compromised environments need to be investigated.”

Sophos initially claimed these were LockBit attacks, although a law enforcement operation shut down the LockBit ransomware-as-a-service platform earlier this week: “Despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running,” the company wrote.

The British National Crime Agency-led operation did not claim to have caught all of the LockBit affiliates, with only three arrests taking place since Monday.

“We have not arrested everyone in relation to LockBit, neither in the core or affiliates. This is a long-term process,” said the agency’s chief, Graeme Biggar.

However, law enforcement captured the ransomware gang’s central administration platform, meaning affiliates — or the customers in the criminal software-as-a-service model — are unable to use that platform in their extortion efforts.

In a followup post, Sophos clarified: “It appears that our signature-based detection correctly identified the payloads as ransomware generated by the leaked LockBit builder, but the ransom notes dropped by those payloads identified one as ‘buhtiRansom,’ and the other did not have a name in its ransom note.”

LockBit’s ransomware toolkit was leaked in September 2022 by a disgruntled affiliate, spawning a wave of attacks using knockoff versions of the encryption software.

The spread of such knockoff software lowers the barrier to entry for criminals operating in the ransomware-as-a-service space, with previous leaks affecting the Conti and REvil groups also leading to a surge in copycat outfits.

In a statement sent to Recorded Future News, Christopher Budd, the director at Sophos X-Ops Threat Research, said: “We’ve seen multiple attacks involving ScreenConnect in the past 48 hours. The most noteworthy has been a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022.”

Budd acknowledged “this may not have originated with the actual LockBit developers.”

He cautioned: “We’re also seeing RATS, infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect. Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise.”