Exploitation of New ScreenConnect RCE Flaw in Ransomware Attacks


Sophos reports that ransomware attacks exploiting a newly identified ScreenConnect RCE flaw have been observed. These attacks utilize LockBit ransomware, with payloads created using a leaked malware builder. Despite recent law enforcement actions against LockBit, attacks persist, indicating the resilience of the threat actors involved.

The authentication bypass vulnerability, CVE-2024-1709, is actively exploited to breach ScreenConnect servers, along with a high-severity path traversal flaw, CVE-2024-1708. ConnectWise has released patches, and CISA has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog.

Sophos X-Ops confirms LockBit ransomware deployment following exploitation of ScreenConnect vulnerabilities. Notably, a local government and a healthcare clinic are among the victims. LockBit's infrastructure was dismantled in Operation Cronos, but attacks persist due to the extensive reach of LockBit affiliates.

Law enforcement efforts have led to arrests and indictments targeting LockBit actors, including Russian suspects. LockBit's history of targeting large-scale organizations has prompted significant rewards for information leading to the apprehension of gang members.

In summary, the exploitation of ScreenConnect vulnerabilities underscores ongoing ransomware threats, even amidst law enforcement actions against prominent ransomware groups like LockBit. It highlights the importance of timely patching and heightened cybersecurity measures to mitigate such risks.