LockBit, Play Ransomware Used in Attacks Leveraging ScreenConnect Flaws

This research pertains to vulnerabilities found in ConnectWise’s ScreenConnect, tracked as CVE-2024-1709 (CVSS score of 10) and CVE-2024-1708 (CVSS score of 8.4), described as an authentication bypass flaw and a path traversal bug.

Threat actors are quickly taking advantage of the recently announced ScreenConnect vulnerability to launch attacks. 

At-Bay’s Cyber Research team has observed multiple ransomware incidents over the past week involving two different variants. One involved the Play ransomware variant, one of the most widely used in 2023. Our Cyber Research team also observed one incident where the LockBit ransomware variant was used. 

The incidents observed since the vulnerability has been disclosed indicate that the Play and LockBit Ransomware-as-a-Service (RaaS) groups or their affiliates could be targeting the ScreenConnect vulnerability. One incident saw a Managed Service Provider (MSP) being targeted, which led to its customers being impacted in what could be classified as a supply chain attack. Because MSPs are commonly known to use ConnectWise, threat actors may be able to gain access to a wide array of organizations by taking advantage of the unpatched software. 

Beyond At-Bay’s observations, there have been several other ransomware variants connected to ScreenConnect vulnerabilities. Change Healthcare, a subsidiary of UnitedHealthGroup, was hit with the BlackCat ransomware strain after the flaws were publicly released. Cybersecurity company Trend Micro says it has evidence that two ransomware groups, Black Basta and Bl00dy, are also exploiting the ScreenConnect vulnerabilities. 

Timeline and Details

ConnectWise announced on February 19 that its ScreenConnect (formerly ConnectWise Control) software — a widely-used tool for remote desktop management — contained two critical vulnerabilities. The company has since released patches to fix the issues and urged its customers to update as soon as possible.

Left unpatched, the severe security flaws identified effectively leave a door wide open to corporate systems, providing attackers with unfettered access to company networks.

The primary concerns:

1. Authentication Bypass: Analogous to possessing a master key, this vulnerability allows nefarious actors to generate their own administrative user on the platform, granting them complete control over the platform. (CVE-2024-1709)
2. Path Traversal: This secondary vulnerability provides attackers with a method to access unauthorized files, further compromising the integrity of the system. (CVE-2024-1708)

Play Ransomware: Unauthorized Activity  

At-Bay’s Cyber Research team observed a ransomware incident against a finance company that, when trying to apply the patch, noticed some unauthorized activity on its corporate network. 

As this company took a deeper dive into its logs, it found unauthorized activities, including attempts to manipulate Active Directory through ConnectWise and the unsolicited installation of AnyDesk on crucial systems. The company’s IT team took its ScreenConnect server offline and used additional tools from Endpoint Detection and Response (EDR) software to remove the threat from its system. 

The situation escalated when, despite resetting passwords and severing connections in a bid to isolate the attack, the company discovered the attacker actively siphoning files via FTP from a critical server. When the company’s IT team tried to shut that down, their entire Storage Area Network (SAN) was encrypted, marked by the “.PLAY” file extension.

A ransom demand was made. 

LockBit Ransomware: Supply Chain Attack

Just one day after the ScreenConnect vulnerability was announced, a nonprofit organization received an urgent notification from its MSP. The notice informed them that they were among a group of customers who had been targeted by cybercriminals deploying LockBit 3.0 ransomware.

The MSP’s security operations center (SOC) sprung into action, isolating every machine the provider managed in order to stop any possible spread, including machines that did not have ScreenConnect installed. They also used EDR software to locate and remove the ransomware executable (LB3.exe) before the group had a chance to launch the program. They were able to mitigate the issue before it materially impacted the nonprofit. 

Additionally, an incident response team was used to run several more EDR scans, remove ScreenConnect from the organization’s system, and perform several forensics tests to ensure the organization’s system was free of malware. 

We believe that the incident tied to LockBit was an example of a “supply chain” attack that first impacted a MSP. 

Ransomware Groups Move Quickly to Attack Supply Chain

All of these attacks happened less than 72 hours after the patch was available. While these incidents were discovered before they blindsided businesses, they show just how quickly companies need to move to limit their risk.

The ScreenConnect vulnerability is a prime example of how supply chain attacks can impact  companies through no fault of their own. Businesses often extend certain access privileges to third-party vendors like MSPs for operational efficiency and collaboration. Attackers exploit these relationships, knowing that breaching a single MSP can provide a backdoor into multiple other organizations that may be otherwise secure. 

These attacks take advantage of a blind spot in cybersecurity practices that focus primarily on direct threats, overlooking the potential for indirect compromise through a company’s partners and vendors. 

Recommended Actions

Businesses using ScreenConnect, particularly those with self-managed servers, should take immediate action:

• Promptly Update: Upgrade to version 23.9.8 or later to mitigate these vulnerabilities.
• Investigate for Unknown Behavior: Meticulously inspect your system or reach out to your security services teams for any signs of unauthorized access, such as unfamiliar user accounts.

If your business uses an MSP or Managed Security Service Provider (MSSP), ask them whether they are using ScreenConnect and if they have patched their own systems. As a general rule, businesses should also ask an MSP/MSSP what actions they take in events like this and what tools they use to keep their own systems safe.

A Prime Example of Proactive Security 

The ScreenConnect vulnerability serves as a glaring reminder of the persistent threat posed by cybercriminals. At-Bay’s Cyber Research team’s findings underscore the criticality of swift action and vigilance in protecting digital assets, especially for MSPs. These incidents not only highlight the ingenuity of RaaS groups, but also the importance of comprehensive, proactive cybersecurity measures.

If you are an At-Bay broker or policyholder with questions or concerns regarding ScreenConnect, please contact our Security team at security@at-bay.com.