Cyber Siege: ScreenConnect Servers Hit by Ransomware Onslaught Due to Critical Flaw CVE-2024-1709

Hackers unite in a digital tango—Black Basta and Bl00dy gangs shimmy through ScreenConnect’s dance floor, exploiting a severe flaw to waltz off with admin rights. Update or face the music!

Hot Take:

And here I thought reusing passwords across different accounts was the height of cybersecurity faux pas, but leaving your ScreenConnect server unpatched is like leaving the keys to the digital kingdom under the doormat with a neon sign saying ‘Rob me!’ The Black Basta and Bl00dy ransomware gangs must feel like kids in a candy store where the candy is just ripe vulnerabilities waiting to be exploited. Seriously folks, patch your servers or these cyber rascals will have a field day with your admin rights!

Key Points:

  • The critical flaw CVE-2024-1709 is like an all-access VIP pass for hackers to create admin accounts and take over ScreenConnect servers.
  • ConnectWise is playing catch-up with patches for this and another high-severity flaw while attackers are already throwing a hacking party.
  • The Black Basta and Bl00dy gangs are not just exploiting these flaws—they’re setting up ransomware and RATs like they own the place.
  • Exploits are so last week—now, cybercriminals are using leaked ransomware builders for a more personalized touch in their attacks.
  • Immediate patching is not just a good idea—it’s like the cybersecurity version of putting on pants before leaving the house.
Title: Authentication bypass using an alternate path or channel
Cve id: CVE-2024-1709
Cve state: PUBLISHED
Cve assigner short name: cisa-cg
Cve date updated: 02/21/2024
Cve description: ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Title: Improper limitation of a pathname to a restricted directory (“path traversal”)
Cve id: CVE-2024-1708
Cve state: PUBLISHED
Cve assigner short name: cisa-cg
Cve date updated: 02/21/2024
Cve description: ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Need to know more?

A Patch in Time Saves Nine... Million?

When ConnectWise released security updates for a maximum severity authentication bypass vulnerability, they probably didn't expect cybercriminals to RSVP to the vulnerability party so quickly. With the proof-of-concept exploits out in the wild, it's like they sent out invitations with a "Please Exploit Me" RSVP card. And RSVP they did, with the Black Basta and Bl00dy ransomware gangs crashing the event and adding their own flair by deploying web shells and Cobalt Strike beacons.

License to Patch

In a move that screams "pretty please with sugar on top," ConnectWise has removed all license restrictions, so even those with expired licenses can secure their servers. It's like the bartender at the club announcing free drinks in hopes that you'll stay for just one more song—except the song is a security update, and the club is your vulnerable server.

Attackers' Shopping Spree

It looks like the bad guys went on a shopping spree with the ScreenConnect vulnerabilities. Shadowserver spotted them trying on dozens of IPs for size, while Shodan is like the personal shopper announcing there are over 10,000 servers to choose from, but only a fraction are dressed in the latest patched fashion.

DIY Ransomware Kits: The New Black?

The trendy thing in cybercrime right now? DIY ransomware kits. Why settle for off-the-rack malware when you can tailor it with leaked Conti and LockBit Black builders? It's the bespoke suit of cyber attacks, and you can bet the Black Basta and Bl00dy gangs are strutting around the digital catwalk with their custom-fitted payloads.

Don't Be the Low-Hanging Fruit

Last but not least, let's talk about the low-hanging fruit of the cyber world—unpatched systems. Trend Micro is basically the concerned parent here, reminding everyone to update their software. Not patching your systems is like sending out a tweet with your home address and the time you'll be out for a jog. Cybercriminals love low-hanging fruit, and right now, unpatched ScreenConnect servers are like ripe apples waiting to be picked.

Tags: authentication bypass, Bl00dy, Black Basta, CVE-2024-1709, Ransomware Gangs, Remote Access Trojan, ScreenConnect vulnerability