Black Basta and Bl00dy ransomware gangs exploiting ConnectWise vulns

More ransomware gangs, including the notorious Black Basta operation, have now been observed exploiting a pair of significant vulnerabilities in the ConnectWise ScreenConnect software platform, disclosed on Monday 19 February 2024.

CVE-2024-1708 and CVE-2024-1709 are path traversal and authentication bypass vulns, carrying CVSS scores of 8.4 and 10 respectively. ConnectWise has made patches available, and details of those patches, indicators of compromise (IoCs), and vulnerable versions can be found here. They are described as trivial to exploit, and extremely dangerous.

By Friday 23 February, it had emerged that a threat actor using a leaked build of LockBit – likely not LockBit given that gang’s recent troubles – had begun to exploit the ConnectWise ScreenConnect vulnerabilities in ransomware attacks.

Earlier today (Tuesday 27 February), Trend Micro researchers Ian Kenefick, Junestherry Dela Cruz and Peter Girnus published new intelligence revealing their discovery of the Black Basta and Bl00dy ransomware gangs using the ConnectWise ScreenConnect vulnerabilities to target organisations that have so far failed to patch.

“Our telemetry has found that diverse threat actor groups are exploiting vulnerabilities in ConnectWise ScreenConnect, with tactics ranging from ransomware deployment to information stealing and data exfiltration attacks,” wrote the team in their disclosure notice.

“These activities, which originate from different intrusion sets, highlight the urgency of securing systems against these vulnerabilities…. This further underscores the immediate need for ScreenConnect users to have effective defence strategies and swift patching.”

Black Basta – which recently attacked the systems of utility Southern Water in the UK – was observed deploying Cobalt Strike beacons in some environments to perform reconnaissance, asset discovery and privilege escalation activities prior to executing the final stages of their attack.

Another group, which Trend Micro did not identify, was tracked after it was observed trying to disable real-time monitoring features in Windows Defender using PowerShell, after which it also deployed Cobalt Strike.

The presence of Bl00dy, which last year struck multiple targets through a zero-day in a print management software platform, was ascertained by Trend Micro after it observed the group deploying leaked builds of both the Conti and LockBit Black (LockBit 3.0) lockers.

Threat actors have also been tracked exploiting the ConnectWise ScreenConnect vulnerabilities using the multifaceted XWorm malware, which offers remote access, self-spreading capabilities and data exfiltration, and is also capable of downloading additional payloads.

“We emphasise the urgency of updating to the latest version of the software. Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats,” wrote the Trend Micro team.

“We emphasise the urgency of updating to the latest version of the [ConnectWise ScreenConnect] software. Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats”

“If exploited, these vulnerabilities could compromise sensitive data, disrupt business operations, and inflict significant financial losses. The fact that threat actors are actively using these weaknesses to distribute ransomware adds a layer of urgency for immediate corrective actions.”