A new ConnectWise phishing campaign has been discovered directed at both the healthcare and cryptocurrency communities in the United States.
These campaigns, orchestrated by threat actors on the dark web, have utilized deceptive tactics to distribute malicious software, particularly leveraging the ScreenConnect vulnerability.
ConnectWise ScreenConnect, a legitimate remote support tool widely used by IT professionals and Managed Service Providers (MSPs), has become the focal point of these cyberattacks.
By exploiting ScreenConnect vulnerabilities, threat actors have gained unauthorized access to victim systems, enabling them to execute various nefarious activities.
ScreenConnect Vulnerability Exploited by Threat Actors
According to Cyble Research and Intelligence Labs (CRIL), the modus operandi of these phishing campaigns involves the creation of fraudulent websites, often mimicking legitimate cryptocurrency platforms or healthcare organizations.
For instance, one such phishing site, “hxxps://rollecoin[.]online,” closely resembled the authentic website of RollerCoin, a platform offering Bitcoin mining simulation games. Unfamiliar to visitors, interacting with these fraudulent sites led to the unwitting download of ScreenConnect client files, placing them at risk of exploitation by hackers, which is the initial point of contact between the threat actors and victims.
Similarly, healthcare entities have been targeted through deceptive websites hosted using subdomain takeovers, such as “sgacor.kenparkmdpllc[.]com,” masquerading as legitimate healthcare platforms. These phishing sites capitalize on the trust associated with renowned healthcare services to lure victims into downloading malicious software.
Given the rise of cyberattacks on healthcare facilities, the ConnectWise phishing campaign adds fuel to the fire as threat actors aggressively targets organization related to healthcare and medicine.
Similar Incidents Exploiting ScreenConnect Vulnerability
Upon analysis, CRIL discovered that the downloaded ScreenConnect client files initiated the deployment of Microsoft Installer files, facilitating the installation of the ScreenConnect service on compromised machines.
While active communication between the server and the client was not detected in these instances, the potential for data extraction or malware deployment remained a looming concern.
This exploitation of ScreenConnect vulnerabilities is not unprecedented. Previous incidents, documented by various cybersecurity firms, have highlighted similar patterns of abuse.
For example, suspicions arose in February 2021 regarding the potential exploitation of ScreenConnect by threat groups like Static Kitten.
Subsequent incidents in May 2022 and November 2023 further highlighted the susceptibility of organizations, particularly in the healthcare sector, to cyberattacks facilitated through ScreenConnect.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.