HQ/EMEAFind out how we can help your business
The advanced persistent threat (APT) group Kimsuky has executed a recent cybercriminal operation by exploiting newly discovered bugs on ScreenConnect.
Based on reports, this assault capitalises on vulnerabilities within the ConnectWise ScreenConnect software, unleashing a variant of the infamous BabyShark malware, now dubbed ToddlerShark.
The cybercriminal campaign exploits these flaws to acquire unauthorised access and deploy malicious payloads.
The primary objective of exploiting the ScreenConnect flaws is to launch the ToddlerShark malware.
Kimsuky’s modus operandi revolves around exploiting ScreenConnect vulnerabilities, such as CVE-2024-1708 and CVE-2024-1709, to propagate ToddlerShark.
According to investigations, the attackers created this malware to execute long-term espionage and data exfiltration. Researchers believe that ToddlerShark is the latest iteration of Kimsuky’s notorious ReconShark and BabyShark backdoors, previously implicated in espionage campaigns spanning government entities, universities, and organisations across the U.S., Asia, and Europe.
In addition, the attackers have employed polymorphic traits with legitimate Microsoft binaries and registry tweaks to the malware to ensure its persistence while stealthily collecting sensitive data from compromised devices. The operators have also used unique Command and Control (C2) URLs to put more strain on detection measures.
Exploiting ScreenConnect bugs is not the only campaign recently wreaking havoc in cybersecurity. The Black Basta and Bl00dy ransomware gangs have also been observed targeting the CVE-2024-1709 vulnerability, noted for its critical CVSS score of 10.
Earlier this year, researchers warned everyone about the LockBit ransomware group’s exploitation of these vulnerabilities. Preceding this, in January, the HHS HC3 issued an advisory regarding attacks on healthcare sector firms leveraging ConnectWise’s ScreenConnect remote access tool.
This warning followed an incident in 2023 where a significant pharmacy supply chain, reliant on a self-hosted version of ScreenConnect, fell victim to the same compromise, potentially placing numerous entities at risk.
The number of malicious entities on ScreenConnect’s vulnerabilities increases as the vulnerability continues in various industries. However, through a collaborative effort to prioritise security updates and adopt a proactive security stance, organisations can form formidable barriers to protect their systems and data against the ever-looming danger of cyber threats.
