Black Basta and Bl00dy Ransomware Groups Exploit Vulnerability in Widespread Attacks

The Black Basta and Bl00dy ransomware gangs have joined a series of attacks targeting unpatched ScreenConnect servers vulnerable to a critical authentication bypass vulnerability (CVE-2024-1709). This flaw allows attackers to create admin accounts on exposed servers, delete other users, and take control of vulnerable instances.

CVE-2024-1709 has been actively exploited since the day after security updates were released, with proof-of-concept exploits published by several cybersecurity companies. The researchers also recently addressed a high-severity path traversal vulnerability (CVE-2024-1708), which requires threat actors to have high privileges.

To mitigate ongoing attacks, ConnectWise removed all license restrictions, allowing customers with expired licenses to secure their servers, as both vulnerabilities impact all ScreenConnect versions. CISA has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, instructing U.S. federal agencies to secure their servers by February 29.

According to Shadowserver, CVE-2024-1709 is widely exploited, with numerous IPs targeting exposed servers, while Shodan has identified over 10,000 ScreenConnect servers (only 1,559 running the patched version). The researchers discovered that the Black Basta and Bl00dy ransomware groups are exploiting these vulnerabilities to gain initial access and backdoor victims’ networks with web shells.

During their investigations, the researchers observed reconnaissance, discovery, and privilege escalation activities by the attackers, along with the deployment of Cobalt Strike beacons by the Black Basta gang.

The Bl00dy ransomware gang utilized payloads from leaked Conti and LockBit Black builders, with ransom notes identifying them as part of the Bl00dy cybercrime operation. The researchers also noted the deployment of the XWorm malware with RAT and ransomware capabilities by some attackers.

Other threat actors used the compromised ScreenConnect servers to deploy remote management tools like Atera and Syncro, or a second ConnectWise instance. The researchers reported that the recently patched ScreenConnect flaws are exploited in ransomware attacks, with multiple ransomware payloads created using the leaked LockBit ransomware builder found on various networks.

Huntress confirmed these findings, stating that a local government and a healthcare clinic were hit by ransomware attackers who exploited the CVE-2024-1709 authentication bypass to breach their networks. The researchers emphasized the importance of updating to the latest version of ConnectWise ScreenConnect to protect systems from these threats, stating that immediate patching is critical for security.

To protect against attacks by Black Basta and Bl00dy ransomware groups, organizations should immediately patch the CVE-2024-1709 vulnerability. It is also important to regularly update all software and applications to the latest versions to prevent exploitation of known vulnerabilities. Implementing network segmentation and access controls can help limit the impact of a potential breach. Additionally, organizations should conduct regular security audits and penetration testing to identify and address any potential security weaknesses in their systems.