Exploitation of two critical ConnectWise vulnerabilities continues to increase, with many attacks attributed to ransomware groups such as LockBit.
Last month, ConnectWise disclosed an authentication bypass vulnerability, tracked as CVE-2024-1708, which received the highest possible CVSS score of 10, and a path traversal flaw, tracked as CVE-2024-1709, affecting its ScreenConnect remote management tool. ConnectWise and other vendors confirmed that exploit activity began just days after the February 19 discovery. So far, activity shows that ScreenConnect has become a popular target for ransomware threat actors.
Trend Micro observed exploits by the Bl00dy and BlackBast ransomware groups, while Sophos-X saw several attacks by the infamous LockBit ransomware gang. Recently, cyber insurer Coalition, Inc. also confirmed that threat actors are exploiting ScreenConnect flaws to deploy LockBit ransomware.
All three vendors revealed an increase in exploit activity starting the week of February 19th.
In a blog post Wednesday, Leeann Nicolo, the Coalition’s incident response manager, shared findings from eight incident response cases in February involving LockBit operators exploiting ScreenConnect vulnerabilities against policyholders. Although users have been affected, she believes repair rates, an area where organizations normally struggle, have been unusually positive.
“After analyzing the indicators of compromise (IOC) in these cases, the CIR [Coalition Incident Response] five were found to be associated with LockBit version 3.0, LockBit-related ransomware binaries, and three were pre-encryption,” Nicolo wrote in the blog. “Following this increase in ransomware activity against policyholders, the Coalition is actively monitoring ScreenConnect vulnerabilities and monitoring other LockBit activities.”
LockBit was among the most active threat groups of the NCC group last year. The group’s disruptive attacks also prompted a CISA warning in November after threat actors exploited Citrix Bleed vulnerabilities against aerospace giant Boeing.
However, on February 20, law enforcement agencies announced that they had disrupted LockBit’s infrastructure as part of “Operation Cronos.” That was one day before the Coalition began seeing an uptick in LockBit activity around the ScreenConnect flaws, signaling that the disruption was only temporary.
The gang restored some servers and websites about a week later and defiantly announced that they would continue their attacks, particularly against US government organizations. Nicolo acknowledged the challenges law enforcement faces against persistently disrupting ransomware gangs. For example, the ringleaders are usually based outside of US jurisdiction, which she said perpetuates the “whack the mole” cycle in the fight against ransomware.
“The fact that LockBit was able to recover and resume operations within days shows that the government’s disruption and compromise of their infrastructure, while beneficial to law enforcement and beneficial to some victims, was not as comprehensive as hoped,” she wrote in blog post. .
Nicolo also addressed how the ransomware-as-a-service business model, which has opened up the attack surface to affiliates who can now purchase strains of ransomware from developers to launch attacks, makes attribution difficult. However, it confirmed that IOCs in ScreenConnect incident response cases have shown that LockBit version 3.0 was deployed against policyholders. The coalition saw CVE-2024-1709 being exploited in every instance where the infection was present.
Nicolo told TechTarget Editorial that policyholders from a variety of sectors were affected, including manufacturing, education, construction and law. Additionally, one victim was the police department.
She also noted that the casualties were the result of downstream attacks on managed service providers (MSPs), which typically use remote management tools such as ScreenConnect to interact with customers. Ransomware gangs have targeted MSPs and their commonly used tools in the past to reach end-user organizations. In 2021, REvil threat actors exploited a zero-day vulnerability in the Kaseya VSA product in a massive ransomware campaign that affected as many as 1,500 organizations.
As of Friday, Nicolo said the number of Coalition Police Officer ScreenConnect victims has risen to 12.
Coalition ScreenConnect enclosures
While the Coalition attributed the ScreenConnect attacks against LockBit policyholders to threat actors, Nicolo said the IR team noticed significant differences compared to past behavior that suggested a less technically skilled actor was involved. For example, incident response cases showed data encryption rather than data exfiltration, despite a growing trend during 2023 where ransomware actors focused only on data theft and relied on aggressive extortion threats to pressure payments from victim organizations . In addition to the lack of mass expulsion, the Coalition did not observe the threat actor conducting reconnaissance or discarding credentials.
Nicolo offered several options for a different approach. It’s possible that the LockBit gang rebranded, or the actor responsible could be an affiliate with different tactics. It is also possible that the threat actor was not affiliated with a gang. The source code of LockBit version 3.0 was leaked in 2022 by a disgruntled partner, opening the variant to a wider range of threats to use malware.
Another significant difference involved the ransom amounts demanded. The Coalition has settled one case for $10,000 and is involved in active negotiations where threats from victim organizations are seeking $40,000 to $60,000. Nicolo described the amounts as significantly lower than LockBit’s previous demands. The Coalition also monitors public ransomware leaks used to pressure payouts, but has yet to see a list of insureds.
“LockBit is all over the place in terms of claims, but it’s pretty low, especially because of their aggressive statement: ‘We’re back and better than ever.’ Everything is at a lower level right now, which is great if this is indeed the new LockBit,” she said.
Nicolo cited common IOCs present in previous LockBit incidents that were missing from the ScreenConnect attacks. This includes actors gaining privilege escalation, destroying processes and services, maintaining persistence, and deleting volume shadow copies. She added that after LockBit normally discards the encryption, the ransomware ID and the readme.txt note are dropped from all subdirectories.
However, in instances of ScreenConnect LockBit, the ransom message is dropped with encryption. Nicolo said the second ransom note, in which the threat actors called themselves LockBit, was sent to on-site printers at Coalition clients. She added that the ransom message had a Tox chat ID, which is completely different from how the LockBit threat actors behaved before.
Apart from the IOC, the chat communication with the attackers had a different, less professional tone than usual.
“The whole attitude is so different,” she said. “They didn’t provide us with any evidence of the chase. The demands are much, much lower.”
Nicolo said that in pre-encryption cases, organizations had endpoint detection and response tools running, which could be a major contributor to preventing successful attacks. In addition, vulnerable insurers demonstrate timely patch management protocols, which she said is unusual.
“In cases where there is an outdated piece of software or an action, [policyholders] come to us to advise them. Rarely will they contact us and find that it’s already been done,” she said.
She praised ConnectWise for timely and transparent disclosure of vulnerabilities, which she believes made it easier for users to respond and could have limited the scope of the attack. Nicolo said she hopes the biggest surge against ScreenConnect users occurred during the period between February 21 and February 23, when the Coalition’s cases piled up.
Arielle Waldman is a TechTarget Editorial news writer covering enterprise security.