Exploitation of two critical ConnectWise vulnerabilities continues to mount, with many attacks attributed to ransomware gangs such as LockBit.
Last month, ConnectWise disclosed an authentication bypass vulnerability, tracked as CVE-2024-1708, that received the highest possible CVSS score of 10 and a path traversal flaw, tracked as CVE-2024-1709, that affects its remote management tool ScreenConnect.
The activity shows ScreenConnect has become a popular target for ransomware threat actors.
Trend Micro observed exploitation by the Bl00dy and BlackBasta ransomware groups, while Sophos-X saw several attacks by the infamous LockBit ransomware gang.
More recently, cyber insurer Coalition, Inc., also verified threat actors have been exploiting the ScreenConnect flaws to deploy LockBit ransomware.
In a blog post Wednesday, Leeann Nicolo, incident response leader at Coalition, shared findings from eight incident response cases in February that involved LockBit operators exploiting the ScreenConnect vulnerabilities against policyholders.
LockBit was among NCC Group's most active threat actor gangs last year.
The group's disruptive attacks also warranted a CISA alert in November after threat actors exploited the Citrix Bleed vulnerabilities against aerospace giant Boeing.
She confirmed that IOCs in the ScreenConnect incident response cases showed a version of LockBit 3.0 was deployed against policyholders.
In 2021, REvil threat actors exploited a zero-day vulnerability in Kaseya's VSA product in a massive ransomware campaign that impacted as many as 1,500 organizations.
While Coalition attributed ScreenConnect attacks against policyholders to LockBit threat actors, Nicolo said the IR team noticed considerable differences compared to past behavior that suggested a less technically skilled actor was involved.
Incident response cases showed data encryption and no data exfiltration, despite a growing trend throughout 2023 where ransomware actors focused on data theft only and relied on aggressive extortion threats to pressure payments from victim organizations.
It could be that the LockBit gang has rebranded or the actor responsible could be an affiliate with different tactics.
LockBit version 3.0 source code was leaked in 2022 by a disgruntled affiliate, which opened the variant to a broader array of threat actors to use the malware.
Nicolo described those amounts as significantly lower than previous LockBit demands.
Nicolo listed common IOCs present in previous LockBit incidents that were missing from ScreenConnect attacks.
She added that after LockBit normally drops the encryption, the ransomware ID and the readme.
In the ScreenConnect LockBit instances, the ransom note was dropped with the encryption.
Nicolo said a different ransom note, in which the threat actors called themselves LockBit, was sent to the printers on site at Coalition clients.
She added that the ransom note had a Tox chat ID, which is completely different than how LockBit threat actors behaved before.
This Cyber News was published on www.techtarget.com. Publication date: Tue, 12 Mar 2024 15:28:06 +0000