The LockBit website and infrastructure may be knocked offline for now, but that isn’t stopping its affiliates from targeting firms and deploying the decryptor.
New reports from multiple cybersecurity companies have claimed a LockBit affiliate is abusing recently discovered ConnectWise ScreenConnect vulnerabilities to drop the ransomware.
Earlier this year, ConnectWise discovered two critical vulnerabilities in its ScreenConnect product - the maximum severity CVE-2024-1709 authentication bypass flaw, and the CVE-2024-1708 high-severity path traversal vulnerability.
Bypassing email security
These two flaws caused quite the ruckus among ScreenConnect users, with the company removing all license restrictions to allow even firms with expired licenses to upgrade. CISA, on the other hand, ordered Federal agencies to apply the patch by February 29 at the latest.
Even before LockBit, there was evidence of other threat actors abusing the flaws to compromise vulnerable endpoints and systems.
Now, as per a BleepingComputer report, both Sophos X-Ops and Huntress security teams confirmed LockBit affiliates taking advantage of the security holes. “In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos' threat response task force told the publication.
"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running."
Huntress, on the other hand, claims "a local government, including systems likely linked to their 911 Systems" and a "healthcare clinic" are among those hit by LockBit. "We can confirm that the malware being deployed is associated with Lockbit," Huntress said in an email.
"We can't attribute this directly to the larger LockBit group but it is clear that lockbit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."
Earlier this week, the LockBit website and database was seized by the UK’s authorities, finding details about the victims, ransom payments, affiliates, and more. No arrests have yet been made.
More from TechRadar Pro
- ConnectWise remote access tool hacked — security pros are saying it is bad, so patch now
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now