Security News > 2024 > February > New ScreenConnect RCE flaw exploited in ransomware attacks

Update February 23, 07:02 EST: Sophos published a report today saying that the ransomware payloads they spotted were built using the LockBit ransomware builder leaked online by a disgruntled malware developer in late September 2022.

"On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool," Sophos explained.

Attackers are exploiting a maximum severity authentication bypass vulnerability to breach unpatched ScreenConnect servers and deploy LockBit ransomware payloads on compromised networks.

Today, Sophos X-Ops revealed that threat actors have been deploying LockBit ransomware on victims' systems after gaining access using exploits targeting these two ScreenConnect vulnerabilities.

"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running."

As part of this joint operation, Japan's National Police Agency developed a free LockBit 3.0 Black Ransomware decryptor using over 1,000 decryption keys retrieved from LockBit's seized servers and released on the 'No More Ransom' portal.

News URL

https://www.bleepingcomputer.com/news/security/new-screenconnect-rce-flaw-exploited-in-ransomware-attacks/