The Black Basta and Bl00dy ransomware gangs have joined widespread attacks targeting ScreenConnect servers unpatched against a maximum severity authentication bypass vulnerability.
This critical flaw (CVE-2024-1709) allows attackers to create admin accounts on Internet-exposed servers, delete all other users, and take over any vulnerable instance.
CVE-2024-1709 has been under active exploitation since last Tuesday, one day after ConnectWise released security updates and proof-of-concept exploits were released by several cybersecurity companies.
Last week, ConnectWise also fixed a high-severity path traversal vulnerability (CVE-2024-1708) that can only be abused by threat actors with high privileges.
The company removed all license restrictions last week so customers with expired licenses can secure their servers from ongoing attacks given that these two security bugs impact all ScreenConnect versions.
On Thursday, CISA also added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, ordering U.S. federal agencies to secure their servers by February 29.
Shadowserver says that CVE-2024-1709 is now widely exploited in attacks, with dozens of IPs targeting servers exposed online, while Shodan currently tracks over 10,000 ScreenConnect servers (only 1,559 running the ScreenConnect 23.9.8 patched version).
While analyzing these ongoing attacks, Trend Micro discovered that the Black Basta and Bl00dy ransomware gangs have also started exploiting the ScreenConnect flaws for initial access and backdooring the victims’ networks with web shells.
​While investigating their attacks, Trend Micro observed reconnaissance, discovery, and privilege escalation activity after the attackers gained access to the network and Black Basta-linked Cobalt Strike beacons being deployed on compromised systems.
The Bl00dy ransomware gang used payloads built using leaked Conti and LockBit Black builders. However, their dropped ransom notes identified the attackers as part of the Bl00dy cybercrime operation.
Trend Micro also saw attackers deploying the multi-purpose XWorm malware with remote access trojan (RAT) and ransomware capabilities.
Other threat actors used the newly gained access to compromised ScreenConnect servers to deploy various remote management tools, such as Atera and Syncro, or a second ConnectWise instance.
Sophos first revealed in a Thursday report that the recently patched ScreenConnect flaws are exploited in ransomware attacks.
They spotted multiple ransomware payloads built using the LockBit ransomware builder leaked online in late September 2022, including a buhtiRansom payload found on 30 different networks and a second LockBit variant created using the leaked Lockbit builder.
Cybersecurity company Huntress also confirmed their findings last week and told BleepingComputer that “a local government, including systems likely linked to their 911 Systems” and a “healthcare clinic” have also been hit by ransomware attackers who exploited the CVE-2024-1709 auth bypass to breach the victims’ networks.
“Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software,” Trend Micro said today.
“Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats.”