Getty Images/iStockphoto
LockBit attacks continue via ConnectWise ScreenConnect flaws
Coalition is latest company to confirm LockBit activity against vulnerable ScreenConnect instances. But the insurer found significant differences between previous LockBit attacks.
Exploitation of two critical ConnectWise vulnerabilities continues to mount, with many attacks attributed to ransomware gangs such as LockBit.
Last month, ConnectWise disclosed an authentication bypass vulnerability, tracked as CVE-2024-1708, that received the highest possible CVSS score of 10 and a path traversal flaw, tracked as CVE-2024-1709, that affects its remote management tool ScreenConnect. ConnectWise and other vendors confirmed exploitation activity started just days after the disclosure on Feb 19. So far, the activity shows ScreenConnect has become a popular target for ransomware threat actors.
Trend Micro observed exploitation by the Bl00dy and BlackBasta ransomware groups, while Sophos-X saw several attacks by the infamous LockBit ransomware gang. More recently, cyber insurer Coalition, Inc., also verified threat actors have been exploiting the ScreenConnect flaws to deploy LockBit ransomware.
All three vendors detected an uptick in exploitation activity beginning the week of Feb. 19.
In a blog post Wednesday, Leeann Nicolo, incident response leader at Coalition, shared findings from eight incident response cases in February that involved LockBit operators exploiting the ScreenConnect vulnerabilities against policyholders. Though customers have been affected, she believes patching rates, which is an area where organizations have normally struggled, are unusually positive.
"After analyzing the indicators of compromise (IOCs) in these cases, CIR [Coalition Incident Response] determined five were associated with a version of LockBit 3.0, the ransomware binary associated with LockBit, and three were pre-encryption," Nicolo wrote in the blog. "Following this uptick in ransomware activity against policyholders, Coalition is actively following the ScreenConnect vulnerabilities and tracking other LockBit activity."
LockBit was among NCC Group's most active threat actor gangs last year. The group's disruptive attacks also warranted a CISA alert in November after threat actors exploited the Citrix Bleed vulnerabilities against aerospace giant Boeing.
However, on Feb. 20, law enforcement agencies announced they disrupted LockBit's infrastructure as part of "Operation Cronos." That was one day before Coalition started to observe an uptick in LockBit activity around the ScreenConnect flaws, signaling the disruption was only temporary.
The gang restored some servers and websites about a week later and defiantly announced it would resume attacks, specifically against U.S. government organizations. Nicolo acknowledged challenges law enforcement face against permanently disrupting ransomware gangs. For example, ringleaders are commonly located outside U.S. jurisdiction, which she said perpetuates the "whack-a-mole" cycle in the fight against ransomware.
"The fact that LockBit was able to recover and resume operations within days shows that the government interruption and compromise of their infrastructure, while insightful to law enforcement and beneficial to some victims, was not as comprehensive as hoped," she wrote in the blog post.
Nicolo also addressed how the ransomware-as-a-service business model, which opened the attack surface to affiliates that can now buy ransomware strains from developers to launch attacks, makes attribution more difficult. However, she confirmed that IOCs in the ScreenConnect incident response cases showed a version of LockBit 3.0 was deployed against policyholders. Coalition saw CVE-2024-1709 exploited in every case where an infection was present.
Nicolo told TechTarget Editorial that the affected policyholders came from a variety of sectors, including manufacturing, education, construction and legal. Additionally, one victim was a police department.
She also noted that the victims were a result of downstream attacks on managed service providers (MSPs), which typically use remote management tools like ScreenConnect to interact with clients. Ransomware gangs have targeted MSPs and their frequently used tools in the past to reach downstream customer organizations. In 2021, REvil threat actors exploited a zero-day vulnerability in Kaseya's VSA product in a massive ransomware campaign that impacted as many as 1,500 organizations.
As of Friday, Nicolo said the number of Coalition policyholder ScreenConnect victims increased to 12.
Coalition ScreenConnect cases
While Coalition attributed ScreenConnect attacks against policyholders to LockBit threat actors, Nicolo said the IR team noticed considerable differences compared to past behavior that suggested a less technically skilled actor was involved. For example, incident response cases showed data encryption and no data exfiltration, despite a growing trend throughout 2023 where ransomware actors focused on data theft only and relied on aggressive extortion threats to pressure payments from victim organizations. In addition to a lack of mass exfiltration, Coalition didn't observe the threat actor conduct reconnaissance or dump credentials.
Nicolo offered several possibilities for the different approach. It could be that the LockBit gang has rebranded or the actor responsible could be an affiliate with different tactics. It's also possible the threat actor was not affiliated with the gang. LockBit version 3.0 source code was leaked in 2022 by a disgruntled affiliate, which opened the variant to a broader array of threat actors to use the malware.
Another marked difference involved ransom demand amounts. Coalition settled one case for $10,000 and is engaged in active negotiations where the threat actors are asking for $40,000 to $60,000 from victim organizations. Nicolo described those amounts as significantly lower than previous LockBit demands. Coalition is also monitoring ransomware public leak sites used to pressure payments but has not seen any policyholders listed yet.
"LockBit is all over the place in terms of demands, but that's pretty low especially for their aggressive statement of, 'We're back and better than ever.' Everything's lower level as of right now, which is great if this is truly the new LockBit," she said.
Nicolo listed common IOCs present in previous LockBit incidents that were missing from ScreenConnect attacks. Those included actors gaining privilege escalation, killing processes and services, maintaining persistence, and deleting volume shadow copies. She added that after LockBit normally drops the encryption, the ransomware ID and the readme.txt note gets dropped in all the subdirectories.
However, in the ScreenConnect LockBit instances, the ransom note was dropped with the encryption. Nicolo said a different ransom note, in which the threat actors called themselves LockBit, was sent to the printers on site at Coalition clients. She added that the ransom note had a Tox chat ID, which is completely different than how LockBit threat actors behaved before.
In addition to the IOCs, chat communications with the attackers took a different, less-professional tone than usual.
"The whole attitude is so different," she said. "They haven't been providing us with any evidence of exfiltration. The demands are much, much lower."
Nicolo said in the pre-encryption cases, organizations had endpoint detection and response tools running, which could be a main contributor to prevent successful attacks. Additionally, vulnerable policyholders are exhibiting timely patch management protocols, which she said is unusual.
"In cases where there's a piece of software that's out of date, or action item, [policyholders] come to us to advise them. It's rare that we'll get contacted and find that it's already been done," she said.
She applauded ConnectWise for its timely and transparent vulnerability disclosure, which she thinks made it easier for customers to respond and might have limited the scope of attacks. Nicolo said she is hopeful that the biggest uptick against ScreenConnect customers occurred right away during Feb. 21 through Feb 23, which is when the Coalition cases mounted.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.