Security experts are cautioning that hackers are taking advantage of vulnerabilities in ConnectWise to deploy LockBit ransomware, despite recent efforts by law enforcement to disrupt the notorious cybercrime gang. The flaws include an authentication bypass vulnerability (CVE-2024-1709) and a path traversal vulnerability (CVE-2024-1708). The authentication bypass vulnerability is described as “embarrassingly easy” to exploit, and both vulnerabilities impact ConnectWise ScreenConnect, a widely used remote access tool. The flaws allow attackers to remotely plant malicious code on affected systems.
Cybersecurity companies Huntress and Sophos have observed LockBit attacks following the exploitation of these vulnerabilities. Sophos noted on Mastodon that it had observed “several LockBit attacks” after the exploitation of the ConnectWise vulnerabilities. Despite a recent law enforcement operation claiming to take down LockBit’s infrastructure, some affiliates of the cybercrime gang appear to be still active.
ConnectWise released security updates promptly after the vulnerabilities were identified and urged organizations to patch their systems. However, the flaws are actively being exploited in the wild, putting users at risk. Both vulnerabilities can be exploited to compromise user privacy and security.
LockBit ransomware’s infrastructure was seized as part of “Operation Cronos,” a law enforcement initiative led by the U.K.’s National Crime Agency. The operation aimed to disrupt LockBit’s activities, resulting in the takedown of public-facing websites and servers. Despite this major action, cybersecurity companies continue to observe LockBit attacks in the wild.
ConnectWise has not disclosed the number of users impacted by these vulnerabilities, and it remains unclear how many businesses have been affected. The company claims to provide its remote access technology to over a million small to medium-sized businesses. The Shadowserver Foundation, a nonprofit analyzing malicious internet activity, reports that the ScreenConnect flaws are being widely exploited. It has identified hundreds of IP addresses actively exploiting the vulnerabilities, emphasizing the widespread nature of the threat.