Leaked LockBit malware deployed in ScreenConnect attacks – 600+ IPs seen attacking 8,200 instances

"The executable in question was built using the LockBit 3 ransomware builder tool leaked in 2022, so this particular sample may not have originated with the actual LockBit developers"

Leaked LockBit malware deployed in ScreenConnect attacks – 600+ IPs seen attacking 8,200 instances

Remote management software from ConnectWise is now being widely exploited in the wild, with data from Shadowserver showing 8,200 vulnerable instances exposed and attacks coming from over 600 IPs.

The ScreenConnect software, which is used by managed service providers (MSPs) and others to manage tens of thousands of downstream desktops and services, has a critical CVSS 10 vulnerability (now allocated CVE-2024-1709) that is trivial to exploit. POCs are widely available.

Notably, cybersecurity firms including Huntress and Sophos have detected LockBit ransomware being deployed on vulnerable systems, despite a major takedown of the cybercrime group’s infrastructure – and retrieval of over 1,000 decryption keys – in a global law enforcement effort. 

But this may not be stemming from the LockBit group itself. 

ScreenConnect LockBit attacks: An old builder?

Sophos said: “At least one threat actor is abusing ScreenConnect to deploy a ransomware executable. Sophos suspects it is the same person or group; an identical payload (SHA-256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a) was discovered in more than 30 different customer networks, beginning on February 22. This distribution pattern is strongly indicative of the threat actor pushing the payload from a compromised server.

“The executable in question was built using the LockBit 3 ransomware builder tool leaked in 2022, so this particular sample may not have originated with the actual LockBit developers. Our detection for this generation of LockBit (Troj/Ransom-GYT) was built specifically to detect samples generated by the leaked builder tool before they run. We’ve also seen a memory detection rule (Mem/LockBit-B) stopping the execution of both the original and the copycat builds of LockBit in some cases.

“However, the ransomware did not call itself LockBit.”

The cybersecurity firm added: “We’ve also seen other ScreenConnect abuse in our telemetry, some delivering AsyncRAT (via WSF script execution); infostealers; and SimpleHelp Remote Access Client.”

Remote Code Execution in the wake of initial exploitation of CVE-2024-1709 is achieved by leveraging the vulnerability to create a new admin account, and then using these creds to upload an extension (i.e. a plugin) that hosts a Metasploit payload. Currently only ARCH_CMD payloads are supported.

Victim forums show many hit early by attackers, who are often confused about post-breach cleanup with wide variation among attacker behaviour.

ConnectWise recommends on-premise partners immediately update to 23.9.8 or higher to remediate reported vulnerabilities. It has rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later. It said: "To upgrade your version to the latest 23.9 release, please follow this upgrade path: .1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9."

Customers are currently encountering lengthy support delays. If you are lucky enough to have an able and engaged security partner, get them involved.

Huntress, meanwhile, has published a detailed breakdown of some of the post-exploit behaviour it is seeing, here; including IOCs rules for threat hunters. Notably, this has included at least on attacker pulling Google Chrome’s Remote Desktop installer directly from Google infrastructure "no doubt in the hopes they could persistently and remotely access the environment via a second GUI remote access tool..."