The Download
We previously blogged on the likely severe repercussions of the ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) disclosed by ConnectSecure in February 2024. Early intel indicated that the Change Healthcare nation-wide outage due to BlackCat/ALPHV ransomware was connected to the ScreenConnect vulnerabilities, however this was not confirmed by Change Healthcare. Separately it was reported that Change Healthcare paid $22M in Bitcoin (BTC) to the BlackCat ransomware gang.
Bleeping Computer is reporting that North Korean cyber gang Kimsuky is actively exploiting the ScreenConnect vulnerabilities to drop backdoor malware known as ToddlerShark. North Koreans are known for targeting governments and organization of their adversaries. ToddlerShark is used primarily for cyber espionage and can evade endpoint detection by "living off the land" using Microsoft programs to do its bidding.
In addition to these attacks, the Play ransomware is exploiting the ScreenConnect software according to Dark Reading. Targets included a finance company that had their storage area network (SAN) completely encrypted with Play ransomware. At-Bay cyber research reported Lockbit and Play ransomware targeted a Managed Service Provider (MSP) through ScreenConnect, however the intrusion was stopped and mitigated before damage occurred. Meanwhile Trend Micro is reporting two other ransomware gangs Black Basta and Bl00dy are exploiting the ScreenConnect vulnerabilities.
What To Do
The most important step is to scan and ensure you have patched any on-prem ScreenConnect versions your company may have. Beyond that if you were running an instance of ScreenConnect that was vulnerable on prem, you should look for published Indicators of Compromise.
To read more: