Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks

Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks

February 27, 2024 at 01:54PM

Black Basta and Bl00dy ransomware gangs are targeting unpatched ScreenConnect servers with a critical vulnerability (CVE-2024-1709), allowing admin account creation and takeovers. Exploited since last Tuesday, alongside a path traversal vulnerability (CVE-2024-1708). CISA added CVE-2024-1709 to exploited vulnerabilities, with Trend Micro observing attacks and deployment of ransomware by the gangs. Patching is critical.

Key takeaways from the meeting notes are as follows:

1. The Black Basta and Bl00dy ransomware gangs are carrying out widespread attacks, targeting ScreenConnect servers unpatched against a severe authentication bypass vulnerability (CVE-2024-1709).

2. This critical flaw allows attackers to create admin accounts on Internet-exposed servers, delete all other users, and take over vulnerable instances.

3. Several cybersecurity companies have released proof-of-concept exploits for CVE-2024-1709, and it has been under active exploitation since last Tuesday.

4. ConnectWise released security updates for CVE-2024-1709 and a high-severity path traversal vulnerability (CVE-2024-1708) last week. They also removed all license restrictions to allow customers with expired licenses to secure their servers.

5. CVE-2024-1709 has been added to CISA’s Known Exploited Vulnerabilities Catalog, with U.S. federal agencies ordered to secure their servers by February 29.

6. Trend Micro discovered that the Black Basta and Bl00dy ransomware gangs are exploiting ScreenConnect flaws for initial access and deploying web shells on victims’ networks.

7. Sophos revealed that recently patched ScreenConnect flaws are being exploited in ransomware attacks, with multiple ransomware payloads built using the LockBit ransomware builder.

8. Huntress confirmed that a local government and a healthcare clinic have also been hit by ransomware attackers exploiting the CVE-2024-1709 authentication bypass.

9. Trend Micro emphasized the urgency of updating ScreenConnect to the latest version, stating that immediate patching is critical to protect systems from the identified threats.

Full Article