"Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running," said Sophos X-Ops researchers. Such findings were affirmed by Huntress, which reported that LockBit attackers leveraged CVE-2024-1709 to compromise a healthcare clinic and a local government. "We can't attribute this directly to the larger LockBit group but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement," Huntress added.