On February 20, cybersecurity provider ConnectWise disclosed high-risk vulnerabilities CVE-2024-1708 and CVE-2024-1709 (collectively known as SlashAndGrab) in its remote desktop connection system, ScreenConnect. The ransomware group LockBit immediately leveraged these vulnerabilities to target clinics, veterinary hospitals, and local government systems associated with 911 hotlines. Now, it has come to light that other hacker organizations have followed suit.
Trend Micro has identified signs of exploitation by hacker groups Black Basta and Bl00dy using the SlashAndGrab vulnerabilities. Black Basta’s affiliated group first infiltrates ScreenConnect servers through the vulnerabilities, conducts reconnaissance to identify accounts with domain administrator privileges, lists trusted domains, and then deploys the penetration testing tool Cobalt Strike. Another hacker group, Bl00dy, utilizes these vulnerabilities to gain initial access to the target organization’s internal environment and subsequently deploys ransomware to encrypt files. This malicious program is created using the LockBit 3.0 ransomware (also known as LockBit Black) and Conti’s leak-building tool.
Apart from the activities of these two groups, researchers have also observed other hackers deploying the XWorm malware and various remote management tools to gain further control over compromised computers.