North Korean state-sponsored threat actors were observed using the recently discovered ScreenConnect vulnerabilities to steal sensitive data from their targets.
A new report from Kroll, shared with Ny Breaking, shows that a group known as Kimsuky (AKA Thallium) exploited two flaws in ConnectWise’s solution to drop ToddleShark, an improved version of the company’s other backdoors. group, BabyShark and ReconShark.
BabyShark has previously been seen at public sector endpoints, universities and research centers in the West. While we don’t know who the victims were in this case, it’s safe to assume they come from the same industries.
Two ScreenConnect errors
As for the data Kimsuky obtained this way, the researchers said they collected information about hostnames, system configuration details, user accounts, active user sessions, network configurations, security software data, all current network connections, a listing of running processes, and a list of installed software.
This information most likely allows the threat actor to prepare for a more destructive cyber attack. Kimsuky is known for his cyber espionage against government agencies.
To drop ToddleShark, Kimsuky exploited two ScreenConnect vulnerabilities: CVE-2024-1709 (Authentication Bypass Flaw) and CVE-2024-1708 (Path Traversal Vulnerability). ConnectWise discovered them at the end of last month and saw that they were being misused en masse shortly after the findings were announced. Threat actors from all over the world flocked to take advantage of unpatched endpoints and drop various types of malware and even ransomware. Some researchers said the infamous LockBit group also used the flaws to drop their encryptor.
A company spokesperson said the majority of its customers (80%) use cloud-based environments that were patched within two days.
The exact number of businesses affected by the deficiencies is difficult to determine, but media reported that more than one million SMBs managing more than 13 million devices are ConnectWise customers.
ScreenConnect is a remote access platform that is said to be used by more than a million companies around the world.