Ransomware group LockBit targets screen-sharing software ConnectWise ScreenConnect with fresh cyberattacks

Ransomware group LockBit targets screen-sharing software ConnectWise ScreenConnect with fresh cyberattacks

LockBit Ransomware Targets Vulnerable ConnectWise ScreenConnect Instances

A series of LockBit ransomware attacks have been linked to the exploitation of ConnectWise ScreenConnect instances, according to cybersecurity firm Sophos. These attacks, which have been ongoing for the past 48 hours, involve tactics such as phishing campaigns and trojanized software installers that deliver malware or enable credential harvesting, facilitating the deployment of ransomware.

Phishing Campaigns and Social Engineering

Cybercriminals are using phishing emails with themes like invoices, tax documents, or Social Security Administration (SSA) notifications to trick victims into downloading trojanized versions of ConnectWise ScreenConnect software. This remote access software is then misused to gain persistence and escalate attacks, enabling the installation of ransomware such as LockBit.

Additional phishing kits like Logokit and custom Python Flask-based kits are used for credential harvesting to facilitate these intrusions. Victims may also be instructed to install software like Microsoft’s Phone Link app to harvest two-factor authentication tokens, increasing the success of the attacks.

Mitigation Measures

In light of these attacks, it is crucial for users to take the following measures to mitigate risks:

1. Patch and update all ConnectWise ScreenConnect instances promptly once updates are published by the vendor. Although specific patches for the critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) have not been detailed, general patching is critical.
2. Enforce multi-factor authentication on all remote access tools, including ScreenConnect, to mitigate credential theft abuses.
3. Monitor for phishing campaigns leveraging invoice, tax, or SSA themes, and educate users to avoid clicking unknown links.
4. Detect anomalous behavior typical of remote access misuse and credential harvesting campaigns through endpoint and network monitoring tools.
5. Deploy phishing resistance technology such as CAPTCHA (although attackers can bypass with Cloudflare Turnstile).
6. Apply security advisories and vulnerability patches from relevant vendors like Microsoft, Adobe, SAP, and Fortinet as part of a broader security posture improvement.

No Explicit Details on CVE-2024-1709 and CVE-2024-1708

As of August 2025, no public detailed exploits or mitigation steps for these particular vulnerabilities connected to the LockBit ransomware or ScreenConnect have been reported. This suggests that these vulnerabilities may be newly disclosed or not yet broadly detailed in public sources.

ConnectWise Response

ConnectWise has addressed both vulnerabilities in ScreenConnect, with cloud partners being automatically protected within 24 hours. On-premises users have been instructed to update to version 23.9.8 or higher to secure their instances. ConnectWise has not confirmed any direct links between the vulnerabilities and any security incidents.

However, the company has taken the step of suspending instances for unpatched on-premises users who have not updated to the most recent secure versions.

Federal Response

Federal Civilian Executive Branch agencies have been given a deadline to take mitigation measures for the critical flaw (CVE-2024-1709) due to its high CVSS score. The Cybersecurity and Infrastructure Security Agency has added the critical flaw to its Known Exploited Vulnerabilities catalog, indicating a significant risk to the federal enterprise.

For detailed CVE technical data, it may be necessary to consult official vulnerability databases or vendor security advisories directly, as the latest public threat intelligence on these CVEs is limited.

[1] Source: Sophos [2] Source: Rapid7 [3] Source: ConnectWise [4] Source: Unspecified [5] Source: Unspecified

1. The ongoing LockBit ransomware attacks are linked to the exploitation of vulnerabilities in ConnectWise ScreenConnect instances, indicating a need for threat intelligence to stay informed about these cybersecurity threats.
2. In response to the vulnerability (CVE-2024-1709), federal Civilian Executive Branch agencies have been given a deadline to take mitigation measures, demonstrating the importance of securing finance and critical infrastructure against ransomware attacks.
3. To protect against the potential deployment of ransomware like LockBit, it's essential to implement measures such as patching and updating the ScreenConnect instance, enforcing multi-factor authentication, and monitoring for phishing campaigns.
4. Technology solutions like phishing resistance technology and endpoint and network monitoring tools can help detect anomalous behavior typical of malware and credential harvesting campaigns, ensuring a robust cybersecurity posture.

Read also: