ConnectWise ScreenConnect bug utilized in Play ransomware breach, MSP assault – Cyber Tech

A essential ConnectWise ScreenConnect vulnerability that permits authentication bypass was utilized in a Play ransomware breach and an tried provide chain assault involving LockBit malware, researchers say.

One of many assaults focused a managed service supplier (MSP) for a possible wider provide chain breach in opposition to its clients, the At-Bay Cyber Analysis Group revealed in an article Thursday. A nonprofit group was amongst a bunch of shoppers that had been focused by cybercriminals deploying LockBit ransomware.  

Nevertheless, the assault was thwarted by the MSP’s safety operations scenter (SOC) earlier than recordsdata had been encrypted or clients had been additional impacted, At-Bay mentioned.

“On condition that the encryption executable was discovered on that individual group’s system, it’s secure to say the menace actors had been shut,” a consultant from At-Bay’s Cyber Analysis group advised SC Media in an e mail. “With out discover from the MSP, the group in all probability wouldn’t have realized something was amiss except the programs had been encrypted or the menace actors themselves made contact.”

In one other case, a finance firm was struck by Play ransomware after discovering an intrusion whereas trying to use the ScreenConnect patch. Regardless of rapid mitigation efforts, the menace actors efficiently encrypted the corporate’s whole storage space community (SAN) and made a ransom demand.

Each assaults described within the At-Bay article occurred inside 72 hours of ConnectWise disclosing and releasing patches for 2 ScreenConnect vulnerabilities on Feb. 19. Probably the most extreme vulnerability is a essential authentication bypass flaw tracked as CVE-2024-1709, which has a most CVSS rating of 10.  

“Analogous to possessing a grasp key, this vulnerability permits nefarious actors to generate their very own administrative consumer on the platform, granting them full management,” the At-Bay Cyber Analysis Group wrote within the article.

The opposite bug, tracked as CVE-2024-1708, can allow entry to recordsdata exterior of restricted subdirectories, though Huntress researchers famous the executive entry supplied by CVE-2024-1709 allows malicious code to be executed anyplace on the system.

“The sheer prevalence of this software program and the entry afforded by this vulnerability alerts we’re on the cusp of a ransomware free-for-all,” Huntress CEO Kyle Hanslovan advised SC Media final week.

Greater than 3,800 ScreenConnect situations nonetheless susceptible amidst ransomware assaults

LockBit ransomware exercise has been seen in assaults concentrating on the ConnectWise ScreenConnect vulnerabilities since Feb. 21, as reported by Sophos X-Ops researchers and corroborated by Huntress and At-Bay.

Regardless of a significant takedown of LockBit infrastructure by worldwide authorities early final week, the leak of the LockBit 3.0 builder in September 2022 means different menace actors are doubtless utilizing this variant in lots of the assaults noticed within the days because the bugs had been disclosed.

At-Bay confirmed that the LockBit 3.0 executable (LB3.exe) was deployed within the assault in opposition to an MSP and its clients however eliminated utilizing endpoint detection and response (EDR) software program earlier than it may very well be launched.

Along with LockBit and Play, Black Basta and Conti ransomware are additionally being utilized in campaigns concentrating on the ConnectWise CVEs, Development Micro reported on Tuesday. The latter pressure comes from one other leaked builder being utilized by a ransomware group often known as Bl00dy, which can be utilizing LockBit 3.0 in its ScreenConnect assaults.

Black Basta menace actors had been seen deploying Cobalt Strike beacons, executing ransomware and exfiltrating knowledge in environments operating susceptible variations of ScreenConnect.

“Site visitors related to this vulnerability set initially spiked very excessive, then leveled off and has remained considerably fixed,” Development Micro’s Vice President for Cybersecurity Greg Younger advised SC Media in an e mail.

Younger added that one remark late this week confirmed that the variety of profitable ScreenConnect exploits was “within the double digits of servers.”

Amidst this spate of assaults, greater than 3,800 ScreenConnect situations tracked by nonprofit cybersecurity group Shadowserver remained susceptible to CVE-2024-1709 as of Feb. 29. Notably, that is lower than half the quantity Shadowserver reported on Feb. 21, when greater than 8,200 susceptible situations had been detected.

At-Bay’s Cyber Analysis group advised SC Media that ransomware menace actors can soar on newly disclosed vulnerabilities inside “a matter of hours.”

“Organizations like to check software program patches with organizations’ IT stack to verify the patches don’t break another functionalities. Even the very best corporations can take days with that course of. Cybercriminals transfer a lot faster,” an At-Bay consultant mentioned.

On Feb. 21, Shadowserver mentioned its sensors detected almost 650 IPs concentrating on CVE-2024-1709.

The ScreenConnect flaws had been additionally implicated in a cyberattack in opposition to Change Healthcare by First Well being Advisory Chief Safety Officer Toby Gouker in feedback to SC Media, and by RedSense researchers who studied “exfiltration-related telemetry for the timeline related to the assault,” in keeping with RedSense Co-Founder Yelisey Bohuslavskiy.

ConnectWise has mentioned Change Healthcare doesn’t seem like a direct buyer and that it “can not verify that there’s a connection” between the assault and the ScreenConnect vulnerability.

Ransomware group ALPHV/BlackCat claimed accountability for the Change Healthcare assault on Wednesday and denied utilizing the ScreenConnect flaws. United Well being Group, mother or father firm of Change Healthcare operator Optum, has since confirmed ALPHV/BlackCat was behind the assault.