Dive Brief:

• A new state-linked threat actor has joined the ConnectWise ScreenConnect fray, capitalizing on already rapidly exploited security flaws to deploy malware, Kroll Cyber Threat Intelligence researchers said Tuesday.
• The new malware, which Kroll dubbed ToddlerShark, was used during post-compromise threat activity linked to two vulnerabilities in ScreenConnect, including CVE-2024-1709, which has a CVSS score of 10. 
• The ToddlerShark malware shares several similarities to BabyShark malware, which Palo Alto Networks researchers previously identified as targeting U.S. national security think tanks. That malware is linked to a group tracked by Kroll researchers as KTA082, but is also known as Kimsuky.

Dive Insight:

The malware in the ToddlerShark attack used a legitimate Microsoft binary and exhibited polymorphic behavior, which can make it more difficult to detect. 

Kroll said responders were able to stop the attack. 

Numerous criminal threat groups are targeting the ConnectWise ScreenConnect vulnerabilities, which were originally disclosed in February.

The critical authentication bypass vulnerability, CVE-2024-1709, raised alarm bells in the security community, as researchers say it is extremely easy to exploit. The Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog.

Already, At-Bay researchers linked Play ransomware and LockBit 3.0  to threat activity. LockBit 3.0 was used in a suspected supply chain attack, while Play ransomware was used in a suspected ransomware attack against a finance company. 

Trend Micro researchers have also linked Black Basta and Bloody Ransomware to threat activity targeting vulnerabilities in ScreenConnect. Sophos researchers identified attacks using LockBit tools, too.