Dive Brief:

• Researchers are linking attacks targeting ConnectWise ScreenConnect vulnerabilities to Play ransomware and LockBit 3.0, insuretech At-Bay said last week. 
• One day after the ScreenConnect vulnerabilities were disclosed, a managed service provider warned a nonprofit that it was among a group of its customers that LockBit 3.0 had targeted in a suspected supply chain attack, according to At-Bay researchers. 
• In a separate incident, a finance company attempting to apply a patch, discovered unauthorized activity, including efforts to manipulate Active Directory and to install AnyDesk on key systems. The attack, linked to Play ransomware, included a ransom demand.

Dive Insight:

The attacks highlight ongoing exploitation linked to the ConnectWise ScreenConnect vulnerabilities. The flaws include a critical authentication bypass vulnerability, listed as CVE-2024-1709, which has a CVSS score of 10. 

Researchers from Trend Micro last week tied exploitation activity to Black Basta and Bloody Ransomware. Researchers from Sophos previously disclosed attacks linked to LockBit tools. 

At the same time, threat actors moved quickly to exploit the ConnectWise vulnerability. The attacks against the nonprofit and the finance company both took place within 72 hours of the vulnerabilities being disclosed. 

“In terms of the ease for criminals to target the vulnerability, the potentially large number of businesses that are unaware of the risk or have yet to implement the patches is a concern to security experts,” At-Bay researchers said in an email. “Active exploitation of these vulnerabilities is already happening.”