North Korean statesponsored threat actors were observed using the recently discovered ScreenConnect vulnerabilities to steal sensitive data from their targets.
A new report from Kroll shared with Pro found a group known as Kimsuky (AKA Thallium) abused two flaws found in ConnectWise’s solution to drop ToddleShark, an upgraded version of the group’s other backdoors, BabyShark and ReconShark.
BabyShark was previously seen on endpoints belonging to government firms, universities, and research centers in the West. While we don’t know who the victims were in this case, it’s safe to assume they’re from the same verticals.
Two ScreenConnect flaws
As for the data Kimsuky obtained this way, the researchers said they grabbed information regarding hostnames, system configuration details, user accounts, active user sessions, network configurations, data on security software, all current network connections, enumeration of running processes, and a list of installed software.
This information, most likely, allows the threat actor to prepare for a more destructive cyberattack. Kimsuky is known for cyberespionage against government entities.
To drop ToddleShark, Kimsuky abused two ScreenConnect vulnerabilities: CVE20241709 (authentication bypass flaw), and CVE20241708 (path traversal vulnerability). ConnectWise discovered them late last month, and soon after disclosing the findings, observed them being massively abused. Threat actors from all over the world flocked to take advantage of unpatched endpoints, and drop various malware, and even ransomware. Some researchers said the infamous LockBit group also used the flaws to drop its encryptor.
A company spokesperson said the majority of its clients (80%) use cloudbased environments which were patched within two days.
ScreenConnect is a remote access platform, allegedly used by more than one million companies around the world.