Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

LockBit ransomware still poses a major threat — ScreenConnect under attack from new malware

Code Skull.

The LockBit website and infrastructure may be knocked offline for now, but that isn’t stopping its affiliates from targeting firms and deploying the decryptor. 

New reports from multiple cybersecurity companies have claimed a LockBit affiliate is abusing recently discovered ConnectWise ScreenConnect vulnerabilities to drop the ransomware

Earlier this year, ConnectWise discovered two critical vulnerabilities in its ScreenConnect product - the maximum severity CVE-2024-1709 authentication bypass flaw, and the CVE-2024-1708 high-severity path traversal vulnerability. 

Bypassing email security

These two flaws caused quite the ruckus among ScreenConnect users, with the company removing all license restrictions to allow even firms with expired licenses to upgrade. CISA, on the other hand, ordered Federal agencies to apply the patch by February 29 at the latest.

Even before LockBit, there was evidence of other threat actors abusing the flaws to compromise vulnerable endpoints and systems.

Now, as per a BleepingComputer report, both Sophos X-Ops and Huntress security teams confirmed LockBit affiliates taking advantage of the security holes. “In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos' threat response task force told the publication.

"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running."

Huntress, on the other hand, claims "a local government, including systems likely linked to their 911 Systems" and a "healthcare clinic" are among those hit by LockBit. "We can confirm that the malware being deployed is associated with Lockbit," Huntress said in an email.

"We can't attribute this directly to the larger LockBit group but it is clear that lockbit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."

Earlier this week, the LockBit website and database was seized by the UK’s authorities, finding details about the victims, ransom payments, affiliates, and more. No arrests have yet been made.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.