February 23, 2024 at 07:15AM
Sophos reported that recent ransomware attacks used the leaked LockBit ransomware builder, dropped on 30 customer networks and created by a different threat actor. The attacks exploit an authentication bypass vulnerability in unpatched ScreenConnect servers, prompting CISA to issue a security directive. Despite a law enforcement operation, LockBit attacks continue globally.
Summary of Meeting Notes:
– Sophos reported that the recent ransomware attacks were carried out with LockBit ransomware, built using a leaked malware builder tool.
– Attackers have exploited an authentication bypass vulnerability to deploy LockBit ransomware on unpatched ScreenConnect servers.
– ConnectWise has released security updates and removed license restrictions to help customers secure servers from attacks.
– CISA has added the authentication bypass vulnerability to its Known Exploited Vulnerabilities Catalog and ordered U.S. federal agencies to secure their servers.
– Threat actors have been deploying LockBit ransomware on victims’ systems after gaining access using exploits targeting ScreenConnect vulnerabilities.
– Huntress confirmed that a local government and a healthcare clinic have been hit by the LockBit ransomware attackers.
– LockBit ransomware’s infrastructure was seized in a global law enforcement operation named Operation Cronos, leading to arrests and indictments of various threat actors associated with the group.
– The U.S. State Department now offers rewards for providing information about LockBit ransomware gang members and their associates.
Please let me know if there’s any additional information needed or if there are specific action points to be highlighted from these meeting notes.