LockBit ransomware still poses a major threat — ScreenConnect under attack from new malware

Code Skull
(Image credit: Shutterstock)

The LockBit website and infrastructure may be knocked offline for now, but that isn’t stopping its affiliates from targeting firms and deploying the decryptor. 

New reports from multiple cybersecurity companies have claimed a LockBit affiliate is abusing recently discovered ConnectWise ScreenConnect vulnerabilities to drop the ransomware

Earlier this year, ConnectWise discovered two critical vulnerabilities in its ScreenConnect product - the maximum severity CVE-2024-1709 authentication bypass flaw, and the CVE-2024-1708 high-severity path traversal vulnerability. 

Bypassing email security

These two flaws caused quite the ruckus among ScreenConnect users, with the company removing all license restrictions to allow even firms with expired licenses to upgrade. CISA, on the other hand, ordered Federal agencies to apply the patch by February 29 at the latest.

Even before LockBit, there was evidence of other threat actors abusing the flaws to compromise vulnerable endpoints and systems.

Now, as per a BleepingComputer report, both Sophos X-Ops and Huntress security teams confirmed LockBit affiliates taking advantage of the security holes. “In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos' threat response task force told the publication.

"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running."

Huntress, on the other hand, claims "a local government, including systems likely linked to their 911 Systems" and a "healthcare clinic" are among those hit by LockBit. "We can confirm that the malware being deployed is associated with Lockbit," Huntress said in an email.

"We can't attribute this directly to the larger LockBit group but it is clear that lockbit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."

Earlier this week, the LockBit website and database was seized by the UK’s authorities, finding details about the victims, ransom payments, affiliates, and more. No arrests have yet been made.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.