BleepingComputer reports vulnerable ConnectWise ScreenConnect servers impacted by the CVE-2024-1708 and CVE-2024-1709 flaws were observed by Sophos X-Ops researchers to have been subjected to numerous LockBit ransomware attacks since Feb. 21 after the ransomware operation had been dismantled in an international law enforcement operation.
"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running," said Sophos X-Ops researchers. Such findings were affirmed by Huntress, which reported that LockBit attackers leveraged CVE-2024-1709 to compromise a healthcare clinic and a local government. "We can't attribute this directly to the larger LockBit group but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement," Huntress added.
"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running," said Sophos X-Ops researchers. Such findings were affirmed by Huntress, which reported that LockBit attackers leveraged CVE-2024-1709 to compromise a healthcare clinic and a local government. "We can't attribute this directly to the larger LockBit group but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement," Huntress added.
