LockBit Strikes Back: Unpatched ScreenConnect Flaw Leaves 911 Systems Vulnerable

LockBit Ransomware Strikes Again! Despite a recent crackdown, LockBit ransomware is the uninvited guest at ScreenConnect’s vulnerability party. Using the CVE-2024-1709 flaw as its +1, LockBit’s still dancing on networks—law enforcement’s RSVP apparently got lost in the mail.

Hot Take:

Just when you thought LockBit was locked up for good, these pesky ransomware purveyors are like the villain in a horror movie that just won’t stay down. Now they’re exploiting not one, but two ScreenConnect vulnerabilities faster than you can say ‘patch update’. It’s like a digital whack-a-mole, with high stakes and no tickets to redeem for a fluffy prize.

Key Points:

  • LockBit ransomware is being deployed using a leaked builder, which is as reassuring as a screen door on a submarine.
  • The CVE-2024-1709 auth bypass flaw in ScreenConnect is getting more action than a Black Friday sale.
  • ConnectWise patches are like lifeboats on the Titanic — great if you have access to them, not so much if you’re still on the sinking ship.
  • LockBit’s been hit by Operation Cronos, but like a hydra, take down one head and two more spring up in its place.
  • The U.S. State Department is offering a cool $15 million for LockBit gossip — snitches get riches!
Title: Authentication bypass using an alternate path or channel
Cve id: CVE-2024-1709
Cve state: PUBLISHED
Cve assigner short name: cisa-cg
Cve date updated: 02/21/2024
Cve description: ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Title: Improper limitation of a pathname to a restricted directory (“path traversal”)
Cve id: CVE-2024-1708
Cve state: PUBLISHED
Cve assigner short name: cisa-cg
Cve date updated: 02/21/2024
Cve description: ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Need to know more?

Builders and Breakers

Looks like someone's been naughty on the dark web! A disgruntled malware developer leaked the LockBit ransomware builder online, and it's as popular as a free Netflix account in a dorm room. Sophos has spotted naughty cyber folks using this tool to craft ransomware that's been making itself at home on 30 different customer networks. And get this: they're not even bothering to name all their ransomware variants. I guess creativity isn't a hacker's strong suit.

The Patch of Desperation

Remember the good old days when the worst thing you could do was forget to patch your jeans? Well, now unpatched ScreenConnect servers are the new ripped denim, but instead of street cred, you get ransomware. And to add salt to the wound, ConnectWise removed all license restrictions so that even the procrastinators with expired licenses can get their act together. CISA's on the scene too, adding CVE-2024-1709 to its 'naughty list' and giving federal agencies a tight deadline to secure their servers. It's cybersecurity meets reality TV.

LockBit's Game of Whack-A-Mole

Despite a global law enforcement smackdown called Operation Cronos, LockBit affiliates are still popping up like daisies in spring. Japanese cyber cops even developed a free LockBit 3.0 decryptor, but it's like bringing a water pistol to a wildfire. And while the U.S. Department of Justice is slapping indictments on Russian suspects quicker than a barista can make a pumpkin spice latte, the LockBit beast continues to claim victims. It's a never-ending game of cyber cat and mouse, and the cheese is always just out of reach.

LockBit's Not-So-Great Escape

Even though LockBit's infrastructure got the equivalent of a digital nuke, these ransomware rebels are resilient. They've already sprouted new attacks and are targeting big fish like Boeing and the UK Royal Mail. It's like the LockBit crew watched too many action movies and figured 'go big or go home' was the way to go. And with the U.S. waving a $15 million bounty for info, it's turned into an episode of America's Most Wanted: Cyber Edition. So, grab your popcorn and stay tuned, because the LockBit saga is far from over.

Tags: CVE-2024-1709, LockBit Ransomware, malware builder leak, No More Ransom, Operation Cronos, Ransomware Attacks, ScreenConnect vulnerability