Attacks exploiting the maximum severity authentication bypass and high-severity path traversal flaws impacting ConnectWise ScreenConnect servers, tracked as CVE-2024-1709 and CVE-2024-1708, respectively, have been deployed by various threat operations, including the Black Basta and Bl00dy ransomware groups, reports SecurityWeek.
Vulnerable ScreenConnect servers infiltrated by Black Basta have been leveraged by the ransomware gang to facilitate reconnaissance, privilege escalation, and Cobalt Strike payload distribution, according to a report from Trend Micro. On the other hand, Bl00dy ransomware exploited the vulnerabilities, collectively known as SlashAndGrab, to enable Conti and LockBit builder deployment. Other threat operations were noted by researchers to have used the bugs to allow the distribution of the XWorm malware and remote access software. "Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software. Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats," said Trend Micro.
