Update ConnectWise ScreenConnect Servers Or Take Offline As Ransomware Is Deployed
âIt’s odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it’s watching the internet burn and trying to respond and remediate the best we can. We’re watching the world burn,â says John Hammond, principal security researcher at threat hunting firm Huntress.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice Thursday that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they cannot update to the latest version amid the ConnectWise ScreenConnect vulnerabilities that was reported early this week.
And exploits are already being seen in the wild.
âWe’re seeing such a variety of different attempts,â John Hammond, principal security researcher at threat hunting firm Huntress, told CRN. âSo many different threat actors are just taking advantage of these golden hours of exploitation.â
In a 30-page report released Friday, Ellicott City, Maryland-based Huntress has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation. Exploits being deployed include ransomware, cryptocurrency coin miners, Cobalt Strike and additional remote access.
One company, UnitedHealth Group’s Change Healthcare, was experiencing slowdowns at pharmacies due to a strain of LockBit malware related to ScreenConnect vulnerabilities, according to a report on SC Magazine.
In an 8-K filing with the U.S. Securities and Exchange Commission on Wednesday, United Healthcare Group, the parent company of Change HealthCare, âidentified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology system.
âDuring the disruption, certain networks and transactional services may not be accessible,â the filing stated.
…
