ConnectWise ScreenConnect bug used in Play ransomware breach, MSP attack

A critical ConnectWise ScreenConnect vulnerability that enables authentication bypass was used in a Play ransomware breach and an attempted supply chain attack involving LockBit malware, researchers say.

One of the attacks targeted a managed service provider (MSP) for a potential wider supply chain breach against its customers, the At-Bay Cyber Research Team revealed in an article Thursday. A nonprofit organization was among a group of customers that were targeted by cybercriminals deploying LockBit ransomware.  

However, the attack was thwarted by the MSP’s security operations scenter (SOC) before files were encrypted or customers were further impacted, At-Bay said.

“Given that the encryption executable was found on that particular organization’s system, it’s safe to say the threat actors were close,” a representative from At-Bay’s Cyber Research team told SC Media in an email. “Without notice from the MSP, the organization probably wouldn’t have realized anything was amiss unless the systems were encrypted or the threat actors themselves made contact.”

In another case, a finance company was struck by Play ransomware after discovering an intrusion while attempting to apply the ScreenConnect patch. Despite immediate mitigation efforts, the threat actors successfully encrypted the company’s entire storage area network (SAN) and made a ransom demand.

Both attacks described in the At-Bay article occurred within 72 hours of ConnectWise disclosing and releasing patches for two ScreenConnect vulnerabilities on Feb. 19. The most severe vulnerability is a critical authentication bypass flaw tracked as CVE-2024-1709, which has a maximum CVSS score of 10.  

“Analogous to possessing a master key, this vulnerability allows nefarious actors to generate their own administrative user on the platform, granting them complete control,” the At-Bay Cyber Research Team wrote in the article.

The other bug, tracked as CVE-2024-1708, can enable access to files outside of restricted subdirectories, although Huntress researchers noted the administrative access provided by CVE-2024-1709 enables malicious code to be executed anywhere on the system.

“The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all,” Huntress CEO Kyle Hanslovan told SC Media last week.

More than 3,800 ScreenConnect instances still vulnerable amidst ransomware attacks

LockBit ransomware activity has been seen in attacks targeting the ConnectWise ScreenConnect vulnerabilities since Feb. 21, as reported by Sophos X-Ops researchers and corroborated by Huntress and At-Bay.

Despite a major takedown of LockBit infrastructure by international authorities early last week, the leak of the LockBit 3.0 builder in September 2022 means other threat actors are likely using this variant in many of the attacks observed in the days since the bugs were disclosed.

At-Bay confirmed that the LockBit 3.0 executable (LB3.exe) was deployed in the attack against an MSP and its customers but removed using endpoint detection and response (EDR) software before it could be launched.

In addition to LockBit and Play, Black Basta and Conti ransomware are also being used in campaigns targeting the ConnectWise CVEs, Trend Micro reported on Tuesday. The latter strain comes from another leaked builder being used by a ransomware group known as Bl00dy, which is also using LockBit 3.0 in its ScreenConnect attacks.

Black Basta threat actors were seen deploying Cobalt Strike beacons, executing ransomware and exfiltrating data in environments running vulnerable versions of ScreenConnect.

“Traffic associated with this vulnerability set initially spiked very high, then leveled off and has remained somewhat constant,” Trend Micro’s Vice President for Cybersecurity Greg Young told SC Media in an email.

Young added that one observation late this week showed that the number of successful ScreenConnect exploits was “in the double digits of servers.”

Amidst this spate of attacks, more than 3,800 ScreenConnect instances tracked by nonprofit cybersecurity organization Shadowserver remained vulnerable to CVE-2024-1709 as of Feb. 29. Notably, this is less than half the number Shadowserver reported on Feb. 21, when more than 8,200 vulnerable instances were detected.

At-Bay’s Cyber Research team told SC Media that ransomware threat actors can jump on newly disclosed vulnerabilities within “a matter of hours.”

“Organizations like to test software patches with organizations’ IT stack to make sure the patches don’t break any other functionalities. Even the best companies can take days with that process. Cybercriminals move much quicker,” an At-Bay representative said.

On Feb. 21, Shadowserver said its sensors detected nearly 650 IPs targeting CVE-2024-1709.

Ransomware group ALPHV/BlackCat claimed responsibility for the Change Healthcare attack on Wednesday and denied using the ScreenConnect flaws. United Health Group, parent company of Change Healthcare operator Optum, has since confirmed ALPHV/BlackCat was behind the attack.

[EDITOR'S NOTE: A reference in a previous version of this article citing undisclosed and unconfirmed research that implicated a technology firm as an attack vector for the Change Healthcare incident has been removed. SC Media strives for accuracy and reporting transparency and regrets when it fall short of that goal.] 5/13/2024