Security News > 2024 > February > Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
The Black Basta and Bl00dy ransomware gangs have joined widespread attacks targeting ScreenConnect servers unpatched against a maximum severity authentication bypass vulnerability.
The company removed all license restrictions last week so customers with expired licenses can secure their servers from ongoing attacks given that these two security bugs impact all ScreenConnect versions.
While analyzing these ongoing attacks, Trend Micro discovered that the Black Basta and Bl00dy ransomware gangs have also started exploiting the ScreenConnect flaws for initial access and backdooring the victims' networks with web shells.
While investigating their attacks, Trend Micro observed reconnaissance, discovery, and privilege escalation activity after the attackers gained access to the network and Black Basta-linked Cobalt Strike beacons being deployed on compromised systems.
The Bl00dy ransomware gang used payloads built using leaked Conti and LockBit Black builders.
Sophos first revealed in a Thursday report that the recently patched ScreenConnect flaws are exploited in ransomware attacks.
News URL
Related news
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)