concept w - stock.adobe.com

Black Basta and Bl00dy ransomware gangs exploiting ConnectWise vulns

More ransomware gangs have been observed exploiting two dangerous vulnerabilities in ConnectWise ScreenConnect software, prompting new warnings for users to get patching

More ransomware gangs, including the notorious Black Basta operation, have now been observed exploiting a pair of significant vulnerabilities in the ConnectWise ScreenConnect software platform, disclosed on Monday 19 February 2024.

CVE-2024-1708 and CVE-2024-1709 are path traversal and authentication bypass vulns, carrying CVSS scores of 8.4 and 10 respectively. ConnectWise has made patches available, and details of those patches, indicators of compromise (IoCs), and vulnerable versions can be found here. They are described as trivial to exploit, and extremely dangerous.

By Friday 23 February, it had emerged that a threat actor using a leaked build of LockBit – likely not LockBit given that gang’s recent troubles – had begun to exploit the ConnectWise ScreenConnect vulnerabilities in ransomware attacks.

Earlier today (Tuesday 27 February), Trend Micro researchers Ian Kenefick, Junestherry Dela Cruz and Peter Girnus published new intelligence revealing their discovery of the Black Basta and Bl00dy ransomware gangs using the ConnectWise ScreenConnect vulnerabilities to target organisations that have so far failed to patch.

“Our telemetry has found that diverse threat actor groups are exploiting vulnerabilities in ConnectWise ScreenConnect, with tactics ranging from ransomware deployment to information stealing and data exfiltration attacks,” wrote the team in their disclosure notice.

“These activities, which originate from different intrusion sets, highlight the urgency of securing systems against these vulnerabilities…. This further underscores the immediate need for ScreenConnect users to have effective defence strategies and swift patching.”

Black Basta – which recently attacked the systems of utility Southern Water in the UK – was observed deploying Cobalt Strike beacons in some environments to perform reconnaissance, asset discovery and privilege escalation activities prior to executing the final stages of their attack.

Another group, which Trend Micro did not identify, was tracked after it was observed trying to disable real-time monitoring features in Windows Defender using PowerShell, after which it also deployed Cobalt Strike.

The presence of Bl00dy, which last year struck multiple targets through a zero-day in a print management software platform, was ascertained by Trend Micro after it observed the group deploying leaked builds of both the Conti and LockBit Black (LockBit 3.0) lockers.

Threat actors have also been tracked exploiting the ConnectWise ScreenConnect vulnerabilities using the multifaceted XWorm malware, which offers remote access, self-spreading capabilities and data exfiltration, and is also capable of downloading additional payloads.

“We emphasise the urgency of updating to the latest version of the software. Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats,” wrote the Trend Micro team.

“We emphasise the urgency of updating to the latest version of the [ConnectWise ScreenConnect] software. Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats”
Trend Micro researchers

“If exploited, these vulnerabilities could compromise sensitive data, disrupt business operations, and inflict significant financial losses. The fact that threat actors are actively using these weaknesses to distribute ransomware adds a layer of urgency for immediate corrective actions.”

Easily beaten

Researchers at Huntress Security, who have been tracking the ConnectWise ScreenConnect vulnerabilities since disclosure and were among the first to recognise the gravity of the two flaws, said those threat actors who have been exploiting the vulnerabilities could be easily stopped, simply because they haven’t done anything new as such.

“This incredibly interesting ScreenConnect exploit has enamoured many of us at Huntress for the last few days, but it’s a shame our adversaries didn’t commit to pairing this new exploit with new tradecraft,” wrote the Huntress team in an update published on 23 February.

Huntress said that most of the post-compromise activities observed thus far were not novel, original or outstanding, simply because most threat actors aren’t terribly sophisticated and don’t really know what to do beyond procedural tradecraft, so they stick to tried and true methods. This makes them easily beaten by a halfway competent security team.

Read more about the ConnectWise ScreenConnect vulnerabilities

  • The disclosure of two dangerous vulnerabilities in the popular ConnectWise ScreenConnect product is drawing comparisons with major cyber incidents, including the 2021 Kaseya attack.
  • ConnectWise ScreenConnect users who have yet to patch against a critical vulnerability are now being targeted by a barrage of cyber attacks, including ransomware.

Read more on Hackers and cybercrime prevention