Ransomware gangs exploiting ConnectWise ScreenConnect flaws

New Trend Micro research revealed additional ransomware gangs, including Black Basta, are actively exploiting ConnectWise ScreenConnect vulnerabilities and warned enterprises it is critical to patch now.

Last week, ConnectWise updated a security advisory for two vulnerabilities, tracked as CVE-2024-1709 and CVE-2024-1708, affecting the remote monitoring and management ScreenConnect software that were first disclosed on Feb. 19. In the update, ConnectWise confirmed exploitation of the path traversal and authentication bypass vulnerabilities, which led to compromised accounts. Following the update, Sophos X-Ops researchers connected exploitation activity to the LockBit ransomware gang, one of the most active groups in 2023 that was temporarily disrupted by a join law enforcement operation last week.

Trend Micro discovered more ransomware groups, including Black Basta and Bl00dy, are also actively exploiting the vulnerabilities. In a report on Tuesday, Trend Micro researchers Peter Girnus, Junestherry Dela Cruz and Ian Kenefick emphasized the vulnerabilities have been exploited to deliver ransomware to ConnectWise customers, which could lead "to considerable disruptions and potential damage to businesses relying on this software."

The researchers also linked exploitation activity, which was initially detected on Feb. 21, to additional unnamed threat groups. Successful exploitation of the ScreenConnect flaws could allow attackers to gain control over an affected system.

"Immediate patching is not just advisable. It is a critical security requirement to protect your systems from these identified threats," the researchers wrote in the research.

Ransomware affiliates and threat groups chained the vulnerabilities to gain initial access to ConnectWise servers within customer organizations and performed reconnaissance. The attackers can then add new accounts to connect to the ScreenConnect client application for privilege escalation. Next, attackers deployed malicious payloads and commands, including PowerShell and Cobalt Strike in some cases.

Following exploitation, Trend Micro observed the threat actors, including those affiliated with the Black Basta gang, deploying ransomware and exfiltrating data from victim networks. Black Basta is a rebrand of the infamous Conti ransomware group, which shut down following a massive leak of internal data, source code and communications in February 2022. Last year, Corvus Insurance reported that Black Basta received more than $107 million in ransom payments from 90 victim organizations over a year and a half time span.

During some ScreenConnect attacks, Trend Micro observed Black Basta attackers deploying Cobalt Strike beacons and payloads to gain a further foothold in a victim environment. Attackers also targeted victims' Active Directory, which is used to manage users' permissions and access.

"The threat actors also deployed this script to count the number of computers in the Active Directory environment that have logged on within the past 90 days, which is used to likely identify active targets for further exploitation or lateral movement within the network," the researchers said.

The Bl00dy ransomware group, which emerged in 2022, was also observed exploiting the ScreenConnect flaws. While operators identified themselves as the Bl00dy ransomware group in ransom notes sent to victims, attackers used leaked builder payloads from LockBit 3.0 and Conti. After encrypting files on a victim machine, operators gave enterprises a 72-hour payment deadline and said the price for a decryptor would increase by $1,000 every hour.

However, ransomware wasn't the only malware deployed during ScreenConnect attacks. Trend Micro observed threat actors dropping the XWorm malware to gain remote access capabilities. Researchers warned XWorm can also let attackers exfiltrate data and download additional payloads.

In another attack sequence, threat actors deployed different remote management tools, including another instance of ConnectWise as well as Atera and Syncro. Activity involved abuse of the BITSAdmin command line tool to download and execute another ScreenConnect client, the research showed.

"Our telemetry also shows how threat actors exploited ScreenConnect vulnerabilities by deploying trail versions of the Atera Remote Monitoring and Management (RMM) tool across several targets in the European region, mostly in Belgium."

Trend Micro warned exploitation could "compromise sensitive data, disrupt business operations, and inflict significant financial losses." Researchers emphasized that ransomware deployment being thrown in the mix makes patching all that more dire. Trend Micro provided customers with a knowledge base article that addresses post exploitation activity and mitigation recommendations.

in an email to TechTarget Editorial, the research team described many of the threat groups exploiting the flaws as "not necessarily highly skilled," but they said victims are mounting rapidly. "Trend doesn't have a specific number [of victims] available right now, but abuse of the vulnerability is exceptionally widespread."

It remains unclear how many ConnectWise customers have been attacked, but at least one organization has come to light. On Monday, Health-ISAC revealed that Red Sense Cyber Threat Intelligence confirmed a cyber attack against UnitedHealth's Change Healthcare last was week involved exploitation of the ScreenConnect vulnerabilities. Change Healthcare suffered massive disruptions, which affected pharmacies across the U.S. On its incident updates page, the healthcare IT provider said disruptions continued through Tuesday as they work to restore systems.

TechTarget Editorial contacted ConnectWise regarding the ransomware activity. A company spokesperson gave the following statement:

We have swiftly addressed the two vulnerabilities (CVE-2024-1709 and CVE-2024-1708) in our ScreenConnect software. Our cloud partners were automatically protected within 48 hours, while on-premise customers were urged to apply the provided patch immediately through the upgrade path we provided. We remain committed to prioritizing the security of our partners' systems and will continue to take proactive measures to address vulnerabilities promptly and effectively. We are seeing some incidents of the ScreenConnect vulnerability being exploited and are actively assisting our partners to address it. It is important to note that ConnectWise did not experience any data breaches, intrusions or ransomware events.

Arielle Waldman is a Boston-based reporter covering enterprise security news.