Update , February 23, 07: 02 EST: According to a report released today by Sophos, the ransomware payloads they saw were created using the&bbSp—LockBit—which allegedly leaked online in late September 2022 by irate malware developers.
Sophos observed samples from this week’s attacks, including a , buhtiRansom LockBit variants dropped on 30 different customer networks, and another payload made with the leaked Lockbit builder and dropped by various threat actors.
We had seen several attacks over the previous 24 hours that appeared to have been carried out with LockBit ransomware, built using a leaked malware builder tool, according to Sophos X-Ops ‘ report on social media on February 22, 2024.
” It appears that our signature-based detection correctly identified the payloads as ransomware produced by the leaked LockBit builder,” but the ransome notes that were dropped by them identified one as “buhtiRansom” and the other as being unnamed.
Accordingly, the title was changed. below is the original story.
Attackers are deploying LockBit ransomware payloads on compromised networks by taking advantage of a maximum severity authentication bypass vulnerability.
Since Tuesday, when ConnectWise released security updates and several cybersecurity companies published proof-of-concept exploits, the maximum severityCVE-2024-1709 auth bypass flaw has been actively exploited.
The CVE-2024–1708 high-severity path traversal vulnerability, which can only be exploited by threat actors with high privileges, was also fixed by ConnectWise.
Customers with expired licenses can upgrade to the most recent software version and protect their servers from attacks because both security bugs affect all ScreenConnect versions, prompting the company to remove all license restrictions on Wednesday.
Today, CISA  updated its Known Exploited Vulnerabilities Catalog to include CVE-2024-1709, requiring federal agencies in the United States to secure their servers by February 29.
According to Shadowserver, a security threat monitoring platform, CVE-2024-1709 is now frequently used in the wild, with 643 IPs currently focusing on weak servers.
Only 980 ScreenConnect 23.9.8 patched versions are currently being used by Shodan, which tracks over 8, 659 screenConnect servers.
ransomware attacks on LockBit were exploited.
Threat actors have been using LockBit ransomware on victims ‘ systems after gaining access using exploits targeting these two ScreenConnect vulnerabilities, according to Sophos X-Ops today.
According to the Sophos threat response task force, “in the last 24 hours, we’ve observed several LockBit attacks, apparently following exploitation of the recent ConnectWise ScreenConnect vulnerabilities ( CVE- 2024- 1708 /CVE.
The ScreenConnect vulnerabilities are actively being exploited in the wild, as others have noted, which is of interest here. Second, it appears that some affiliates are still active despite the law enforcement investigation into LockBit.
A local government, including systems likely connected to their 911 Systems, and a “healthcare clinic” have also been attacked by LockBit ransomware attackers who used CVE- 2024 – 1709 exploits to breach their networks, according to cybersecurity company Huntress.
In an email, Huntress stated,” We can confirm that the malware being deployed is connected to Lockbit.”
Although we ca n’t directly attribute this to the larger LockBit group, it is obvious that lockbit has a sizable reach that includes tooling, numerous affiliate groups, and offshoots that have persisted despite the government’s significant crackdown.
Operation Cronos saw the dismantling of LockBit.
This week, the infrastructure of LockBit ransomware was taken over as part of Operation Cronos, a global law enforcement initiative run by the National Crime Agency of the United Kingdom (NCA ) after its dark web leak sites were shut down on Monday.
Over 1, 000 decryption keys were recovered from LockBit’s seized servers and made available on the” No More Ransom” portal as part of this joint operation by the Japan National Police Agency.
Several LockBit affiliates were detained in Poland and Ukraine as part of Operation Cronos, and three international arrest warrants and five indictments were issued by French and American authorities. Two of these charges against Russian suspects Artur Sungatov and Ivan Gennadievich Kondratiev ( also known as Bassterlord ) were filed by the US Justice Department.
LockBit had at least 188 affiliates as of September 2019, according to additional information made public by law enforcement on the group’s seized dark web leak site.
Over the past four years, LockBit has alleged attacks on numerous major corporations and government agencies, including Boeing, the world’s largest automaker, UK Royal Mail, and Italian Internal Revenue Service.
For information about LockBit ransomware gang members and their associates, the U.S. State Department now offers rewards of up to$ 15 million.
The new malware version  known as LockBit-NG-Dev ( which would have most likely been locked at 4.0) was being developed in secret, according to a report by BleepingComputer today.