Last week’s takedown of the LockBit ransomware gang by U.S. and allied law enforcement entities appears to be short lived.
On February 26, reports circulated that LockBit had restored its disrupted servers and claimed it was back in business. Case in point, LockBit is widely believed responsible for the exploits against ConnectWise ScreenConnect software.
ScreenConnect is part of ConnectWise's larger suite of software for MSPs, including professional services automation (PSA) and remote monitoring and management (RMM) software. Managed security services providers (MSSPs) that operate MSP business units and use this type of software could be impacted as well.
ConnectWise Releases Patch
On February 19, ConnectWise released a security fix for its RMM software, ScreenConnect 23.9.7 (and all earlier versions), disclosing two vulnerabilities:
- CWE-288 Authentication bypass using an alternate path or channel
- CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)
This critical flaw, tracked as CVE-2024-1709, makes it achieve authentication bypass and gain administrative access to ScreenConnect, according to researchers at Huntress. The second vulnerability, tracked as CVE-2024-1708, is a path traversal vulnerability that could allow a malicious ScreenConnect extension to achieve remote code execution (RCE) outside of its intended subdirectory.
According to the Sophos X-Ops, despite the recent law enforcement activity against the LockBit threat actor group, “We had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool.”
LockBit Stands Up to Law Enforcement
LockBit issued a statement on February 24 saying that law enforcement had hacked its dark web site — where the gang leaks data stolen from its victims — using a vulnerability in the PHP programming language, which is widely used to build websites and online applications, a Reuters report said.
"All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies," said the statement, which was posted in English and Russian on a new version of LockBit's dark web site, Reuters reported.
LockBit reportedly moved its portal to a new TOR network address listing several victims. It’s supposed leader, “LockBitSupp,” posted that the threat group would intensify its focus on targeting government agencies in the wake of the takedown operation, reported SC Magazine, a sister publication of MSSP Alert.
“What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger,” LockBitSupp wrote.
Acknowledging LockBit’s reemergence, a spokesperson for Britain's National Crime Agency said, "We recognized LockBit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated with them, and our work to target and disrupt them continues."
Roger Grimes, a data-driven defense evangelist at KnowBe4, said it's not unexpected that a ransomware group like LockBit already returned. Although, the fact LockBit had such a big disruption and got back up so quickly is a little surprising, he said, and believes that taunting law enforcement rarely works out for the criminal.
"Law enforcement usually takes it personally and expends extra effort to take them down again," he said. "Most ransomware groups get away with what they get away with because they stay under the radar. Challenging and mocking law enforcement isn't staying under the radar. Not only that, but with the previous Lockbit takedown, law enforcement got a really good look at inside operations. The new LockBit deployment isn't going to be that different. What law enforcement learned from the previous takedown is likely to help with the next."
Huntress: Remain in Incident Response Mode
Huntress’ ThreatOps team reported having recreated the ScreenConnect exploit and gaining intimate knowledge of the potential ramifications. The team had been collaborating closely with ConnectWise throughout the process. Huntress had a unique perspective in that it was the first to have telemetry from 1,600-plus vulnerable servers under its management.
Huntress researcher and YouTube star John Hammond appeared as a guest on Andrew Morgan's weekly CyberCall on February 26 and raised the question of whether ConnectWise’s patching of the vulnerabilities would be sufficient to contain the threat. He advised that MSSPs and MSPs and anyone involved with ScreenConnect to remain in “incident response mode.”
“ConnectWise did a good job,” said Hammond, emphasizing continued threat hunting. “They locked up the doors and closed all the windows.”
Finnish cybersecurity firm WithSecure said in a blog post that its researchers have also observed “en-mass exploitation” of the ScreenConnect flaws from multiple threat actors. WithSecure believes the hackers are exploiting the vulnerabilities to deploy password stealers, back doors and ransomware.
Hackers are also exploiting the flaws to deploy a Windows variant of the KrustyLoader back door on unpatched ScreenConnect systems WithSecure wrote. They noted this the same kind of back door planted by hackers recently exploiting vulnerabilities in Ivanti’s corporate VPN software.
