Ransomware Gangs Seen Exploiting ScreenConnect Vulnerability

Following the announcement and subsequent patching of CVE-2024-1709, several security researchers have noted ransomware gangs have been seen trying to exploit the flaw.

If the flaw is exploited, it allows an attacker to create admin accounts on Internet-exposed servers, delete all other users, and take over any vulnerable instance associated with a machine.

Ransomware Gangs Seen Exploiting ScreenConnect Vulnerability

Diving into greater detail regarding the vulnerabilities, ConnectWise, the company behind ScreenConnect, warned of not one but two vulnerabilities, CVE-2024-1708 and CVE-2024-1709. Ransomware threat actors are currently exploiting the second.

Security researchers concluded that the flaw was relatively easy to exploit and ConnectWise has urged admins with on-premise servers to update to version 23.9.8 immediately to mitigate the risk posed. In this regard, ConnectWise has provided admins a comprehensive guide regarding vulnerabilities and best practices when updating on-premise servers.

The researchers have been detecting threat actors attempting to exploit the abovementioned vulnerability for over a week. To help combat active exploitation of the flaw, the company removed all license restrictions last week so customers with expired licenses can secure their servers from ongoing attacks, given that these two security bugs impact all ScreenConnect versions.

Further, Bleeping Computer reported that Shadow Server, a nonprofit security organization, said that,

Shadowserver says that CVE-2024-1709 is now widely exploited in attacks, with dozens of IPs targeting servers exposed online, while Shodan currently tracks over 10,000 ScreenConnect servers (only 1,559 running the ScreenConnect 23.9.8 patched version).

Research is ongoing; however, in a recently published blog post by security firm TrendMicro, details of how threat actors use the flaw have been revealed. TrendMicro warned that,

Our telemetry has found that diverse threat actor groups are exploiting vulnerabilities in ConnectWise ScreenConnect, with tactics ranging from ransomware deployment to information stealing and data exfiltration attacks. These activities, which originate from different intrusion sets, highlight the urgency of securing systems against these vulnerabilities. We will detail the most prominent and varied attack chains we’ve observed, which showcase each attacker’s unique approach. This further underscores the immediate need for ScreenConnect users to have effective defense strategies and swift patching.

Black Basta and Bl00dy Ransomware

TrendMicro discovered two ransomware gangs looking to use the flaw: Black Basta and Bl00dy. Security researchers saw Black Basta Cobalt Strike beacons on vulnerable machines deployed by the ransomware’s affiliates. Upon initial foothold on the vulnerable server, threat actors performed reconnaissance, discovery, and privilege escalation activities by executing a list of commands.

It was also noted that the script containing these commands will count the number of computers in the Active Directory environment that have logged on within the past 90 days, which is used to likely identify active targets for further exploitation or lateral movement within the network.

Regarding Bl00dy attacks seen in the wild, they, too, would use Cobalt Strike beacons. Interestingly, upon gaining a foothold on the compromised victim environment, they first performed a defense evasion mechanism by attempting to disable Windows Defenders’ real-time monitoring. This is done via a PowerShell command, followed by the malware attempting to install Cobalt Strike.

Bl00dy is a Frankenstein’s monster of two infamous ransomware strains: Conti and LockBit 3.0. Despite being based on these strains, the threat posed by threat actors deploying Bl00dy should not be underestimated, as threat actors use the best strains it is based on. Threat actors will deliver two ransomware payloads should one fail.

Along with ransomware gangs using the flaw to deploy Cobalt Strike beacons, threat actors were seen exploiting ScreenConnect vulnerabilities with the assistance of XWorm malware.

XWorm is a multifaceted malware that not only provides threat actors with remote access capabilities but also has the potential to spread across networks, exfiltrate sensitive data, and even download additional payloads. Once a foothold is gained on the vulnerable ConnectWise server, we saw that threat actors attempted to execute PowerShell commands to download and execute the XWorm malware.

With that in mind, Trend Micro concluded,

Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software. Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats. Proactively managing updates is essential for maintaining robust cybersecurity defenses against these sophisticated attacks…If exploited, these vulnerabilities could compromise sensitive data, disrupt business operations, and inflict significant financial losses. The fact that threat actors are actively using these weaknesses to distribute ransomware adds a layer of urgency for immediate corrective actions. By staying informed and taking prompt measures, organizations can protect themselves from potential security breaches and its associated consequences.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal