Mogilevich

North Korean Hackers Exploit ScreenConnect Bugs to Unleash New Malware

The world of cybersecurity is always on high alert, and the latest threat comes from an infamous North Korean hacking group known as Kimsuky or Thallium. According to a new report by Kroll, these state-sponsored hackers have been exploiting recently discovered vulnerabilities in ConnectWise’s ScreenConnect remote access platform to deliver a dangerous new piece of malware called ToddleShark.

North Korean Hackers Exploit ScreenConnect Bugs

The two vulnerabilities in question, CVE-2024-1709 and CVE-2024-1708, allowed the Kimsuky group to bypass authentication and gain unauthorized access to target systems. From there, they were able to steal sensitive data like hostnames, system configurations, user accounts, network details, and information about security software and running processes.

Now, you might be thinking, “Why would they want all that data?” Well, cyber-espionage is Kimsuky’s bread and butter, and this sort of reconnaissance likely lays the groundwork for more destructive attacks down the line. Their targets typically include government agencies, universities, and research centers in the West, so the implications are pretty serious.

 

screenconnect

 

But Kimsuky isn’t the only one taking advantage of these ScreenConnect flaws. Researchers say various other threat actors, including the notorious LockBit ransomware gang, have been leveraging the vulnerabilities to drop malware and encryptors on unpatched systems. It’s been a virtual free-for-all since ConnectWise disclosed the issues last month.

The ConnectWise team has been working hard to mitigate the damage, though. A company spokesperson mentioned that 80% of their clients use cloud-based environments, which were patched within just two days. But with over a million businesses managing more than 13 million devices through ScreenConnect, the exact number of affected firms is difficult to pinpoint.

What’s clear is that this incident serves as a stark reminder of the constant threat posed by state-sponsored hackers and the importance of prompt patching and robust cybersecurity measures. The Kimsuky group, in particular, has a track record of cyber-espionage against high-profile targets, and their new ToddleShark malware is a concerning evolution of their arsenal.

As the cybersecurity landscape grows increasingly complex, it’s crucial for organizations to stay vigilant and prioritize the protection of their sensitive data and systems. Because as the ScreenConnect saga demonstrates, even widely used tools can become prime targets for malicious actors seeking to exploit vulnerabilities and wreak havoc.

*Update from ConnectWise*

ConnectWise did not experience a data breach, intrusion, or ransomware event but a vulnerability was reported. On February 13th, an independent researcher submitted a potential ScreenConnect vulnerability through our voluntary disclosure process. Once validated, ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours. On February 19th, we released a patch for all on-prem ScreenConnect customers, posted a security bulletin on the ConnectWise Trust Center, and sent patching instructions to ScreenConnect customers. ConnectWise strongly recommends customers immediately patch on-prem instances of ScreenConnect. At this time, ConnectWise and other cybersecurity firms have seen exploits of the ScreenConnect vulnerability on unpatched on-prem instances. However, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing, and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities. Here is a summary of the timeline of events:

  • On February 13th, an independent researcher reported the potential ScreenConnect vulnerability using the ConnectWise vulnerability disclosure process.
  • ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours.
  • On February 19th, ConnectWise released an official patch for all on-prem partners, posted a security bulletin to the ConnectWise Trust Center, and sent partner comms urging all partners to patch.
  • On February 19th, ConnectWise initiated contact with CISA.
  • On February 21st, because cybersecurity is essential to ConnectWise and our partners, as an interim step, on-prem partners not on maintenance can update to patched ScreenConnect 22.4.20001.8817 at no additional cost.
  • On February 22nd, for precautionary measures, where possible ConnectWise paused functionality for unpatched versions of on-prem ScreenConnect until customers update to a patched version.
  • ConnectWise strongly recommends all on-prem partners are on maintenance and upgrade to 23.9.8 or later.