LockBit ransomware still poses a major threat — ScreenConnect under attack from new malware

LockBit affiliate is still operational, and targeting victims

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

TheLockBit website and infrastructure may be knocked offlinefor now, but that isn’t stopping its affiliates from targeting firms and deploying the decryptor.

New reports from multiple cybersecurity companies have claimeda LockBit affiliateis abusing recently discovered ConnectWise ScreenConnect vulnerabilities to drop theransomware.

Earlier this year, ConnectWise discovered two critical vulnerabilities in its ScreenConnect product - the maximum severity CVE-2024-1709 authentication bypass flaw, and the CVE-2024-1708 high-severity path traversal vulnerability.

Bypassing email security

These two flaws caused quite the ruckus among ScreenConnect users, with the company removing all license restrictions to allow even firms with expired licenses to upgrade. CISA, on the other hand, ordered Federal agencies to apply the patch by February 29 at the latest.

Even before LockBit, there was evidence of other threat actors abusing the flaws to compromise vulnerable endpoints and systems.

Now, as per aBleepingComputerreport, both Sophos X-Ops and Huntress security teams confirmed LockBit affiliates taking advantage of the security holes. “In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos' threat response task force told the publication.

“Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Huntress, on the other hand, claims “a local government, including systems likely linked to their 911 Systems” and a “healthcare clinic” are among those hit by LockBit. “We can confirm that themalwarebeing deployed is associated with Lockbit,” Huntress said in an email.

“We can’t attribute this directly to the larger LockBit group but it is clear that lockbit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Earlier this week, the LockBit website and database was seized by the UK’s authorities, finding details about the victims, ransom payments, affiliates, and more. No arrests have yet been made.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)