Skip to main content
close search
site logo
Dive Brief

ConnectWise ScreenConnect faces new attacks involving LockBit ransomware

A variety of hackers are working to exploit a critical vulnerability in the remote desktop application.

Published Feb. 23, 2024
David Jones's headshot
Reporter
Person using multiple devices.
AntonioGuillem/Getty Images Plus via Getty Images

Dive Brief:

  • Threat groups are escalating malicious activity against vulnerable ConnectWise ScreenConnect instances, according to security researchers. Sophos warns that LockBit ransomware is being deployed by affiliate hackers.
  • Exploitation of a critical authentication bypass vulnerability, CVE-2024-1709, is widespread, according to Shadowserver. There are more than 8,200 vulnerable instances exposed to the internet and 643 IPs have been observed launching attacks. 
  • The Cybersecurity and Infrastructure Security Agency on Thursday added the critical flaw, which has a CVSS score of 10, to its Known Exploited Vulnerabilities catalog. The CVE's entry indicates a significant risk to the federal enterprise and gives Federal Civilian Executive Branch agencies a deadline to take mitigation measures.

Dive Insight:

Multiple criminal actors are attempting to exploit a critical flaw in ConnectWise ScreenConnect, days after the company urged on-premises users to patch. On Thursday, the company instructed users to update to version 23.9.8 or higher. 

The company is suspending instances for unpatched on-premises users if they are not updated to the most recent, secure versions.

“We’ve seen multiple attacks involving ScreenConnect in the past 48 hours,” Christopher Budd, director of Sophos X-Ops Threat Research, said via email. “The most noteworthy has been a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers.”

Other malicious tools are being deployed against ConnectWise ScreenConnect users, including remote access trojans, infostealers, password stealers and other forms of ransomware, indicating the threat activity is coming from multiple attackers, Budd added. 

Sophos researchers are still investigating the role of the second, high severity vulnerability, CVE-2024-1708, in the attacks it has seen thus far. 

“We haven’t detailed the full exploit chains in these attacks yet,” Budd said.

Rapid7 also observed exploitation in multiple customer environments, according to Caitlin Condon, director of threat intelligence. 

“Our MDR teams have observed a range of post-exploitation behavior, and there is no apparent pattern across victim organizations or verticals being targeted,” Condon said via email.

ConnectWise said it swiftly addressed both vulnerabilities in ScreenConnect, and noted that cloud partners were automatically protected within 24 hours. However, the company hasn’t confirmed any direct links to any attacks. 

At this time, we cannot definitively establish a direct link between the vulnerability and any security incidents,” the company said in an emailed statement.

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.