FOCUS FRIDAY: Lockbit Shutdown Insights & ScreenConnect and Exchange Server Vulnerabilities
Written by: Emily Conlin
Written by: Ferhat Dikbiyik
Additional Contributions: Ferdi Gül and Yavuz Han
Edited by: Emily Conlin
This week’s Focus Friday takes a comprehensive look at the cybersecurity landscape, starting with an analysis of the Lockbit ransomware group’s shutdown from a TPRM perspective. We then pivot to exploring critical vulnerabilities in ScreenConnect and Exchange Server, highlighting the importance of understanding these threats for effective third-party risk management (TPRM). Through detailed discussions on mitigation strategies and the utility of Black Kite’s Focus Tags™, we aim to enhance cybersecurity readiness against high-profile incidents.
Lockbit’s Takedown: A TRPM Perspective
In the ever-shifting landscape of cyber threats, the recent takedown of the LockBit ransomware group stands as a monumental event. This coordinated sting, known as Operation Cronos, has rattled the foundations of the cyber underworld and signifies a new era in the fight against digital crime.
This decisive action against one of the most formidable ransomware groups in recent history underscores the critical importance of Third-Party Risk Management (TPRM) professionals staying vigilant. As the dust begins to settle, new developments continue to emerge, including fresh arrests and the offering of rewards for information leading to further apprehensions. Such updates not only demonstrate the ongoing nature of the law enforcement response but also highlight the persistent risks that third parties pose to organizational cybersecurity.
What Happened
In a globally coordinated effort dubbed Operation Cronos, international law enforcement agencies delivered a crippling blow to the LockBit ransomware operation. LockBit, a dominant force in the cybercrime arena, had its infrastructure taken over after the National Crime Agency of the UK, along with the FBI and other global partners, conducted a series of strategic raids. These actions led to significant arrests and the seizure of critical assets, thereby disrupting the group’s ability to operate and marking a significant triumph in the fight against digital crime syndicates.
A deeper exploration of the operation’s scale, the sophisticated tactics employed by law enforcement, and the broader impact on the cyber landscape is thoroughly analyzed in the Black Kite blog. The post offers an intricate look at the measures taken to dismantle LockBit’s network, shedding light on the intricacies of modern cyber warfare and its consequences for the future of online security.
Update on Operation Cronos and Its Ripple Effects on the Cybercrime Ecosystem
Law enforcement agencies have made new strides, arresting additional affiliates linked to the notorious LockBit ransomware group. These arrests, reported on LockBit’s dark web blog, signify the continued pressure on cybercriminal networks.
Moreover, the U.S. Department of State has escalated its offensive against ransomware operations with a substantial reward offer, $15,000,000 in total, aiming to dismantle the leadership of the LockBit group. This strategic move highlights the unwavering commitment to disrupt cybercriminal activities that have plagued global cyber infrastructures.
The Treasury Department’s actions against LockBit affiliates mark a significant step in the ongoing battle against ransomware. These sanctions are designed to disrupt the economic foundations of cybercriminal groups that have previously launched debilitating attacks on essential services. One notable incident involved the Industrial and Commercial Bank of China (ICBC), where attackers exploited vulnerabilities known as Citrixbleed to penetrate and disrupt the bank’s operations. Such attacks underline the necessity for comprehensive security measures to safeguard sensitive sectors against sophisticated ransomware tactics.
The cybersecurity landscape is witnessing a strategic reshuffle as LockBit affiliates potentially join forces with the Royal Ransomware group, a development pointed out by the cybersecurity firm Prodaft. This underscores the need for Third-Party Risk Management (TPRM) teams to be nimble in their risk assessment strategies. The trend of smaller, agile ransomware groups emerging post-Conti suggests that the threat environment is evolving rapidly. Now, more than ever, TPRM professionals must employ proactive measures to mitigate risks posed by these emerging cyber threats and safeguard their organizations.
The TPRM Perspective: Preparing for the Evolving Threat Landscape
For TPRM professionals, the evolving dynamics of the ransomware ecosystem demand a proactive stance. Ransomware ranks as the second most common cause of third-party data breaches, a reality that underscores the importance of comprehensive vendor risk assessments.
It is imperative for organizations to monitor the ransomware risk posed to their vendors. Attacks on third parties can lead to the compromise of sensitive data and, in some instances, subsequent extortion attempts directed at the clients of those vendors.
In this complex environment, Black Kite’s tools and insights, including the Ransomware Susceptibility Index (RSI) and Data Breach tags, offer essential resources to TPRM professionals. These tools help in identifying and mitigating risks associated with ransomware, enabling organizations to fortify their defenses and protect their critical assets.
Harnessing the Power of RSI for Targeted Ransomware Risk Mitigation
In the ever-evolving battle against ransomware, Third-Party Risk Management (TPRM) professionals possess a powerful ally in the Ransomware Susceptibility Index (RSI). The RSI, a specialized metric developed by Black Kite, serves as a predictive tool, gauging a company’s likelihood of falling victim to ransomware attacks. Companies with higher RSI scores face a significantly increased risk, with those in the highest brackets up to 27 times more likely to suffer an attack compared to those with the lowest scores.
This critical insight allows TPRM professionals to prioritize and tailor their risk mitigation strategies effectively. By sharing detailed RSI reports with their vendors, TPRM professionals empower them with the knowledge needed to bolster their cyber defenses, ensuring both parties can proactively counter the ransomware threat. This collaborative approach not only enhances the security posture of vendors but also safeguards the data integrity of the primary organization, creating a fortified ecosystem resistant to ransomware threats.
Enhancing Vendor Risk Posture with Black Kite’s Ransomware/Data Breach Focus Tags™
Black Kite’s Ransomware/Data Breach Focus Tags™ empower TPRM professionals with real-time insights when a vendor falls prey to a Ransomware attack or Data Breach. These tags, grounded in the vigilant monitoring of over 130 ransomware groups by the Black Kite Research & Intelligence Team (BRITE), provide a crucial layer of security awareness. In 2023 alone, 67 active ransomware groups were documented as having claimed at least one victim, attesting to the pervasive threat landscape. Furthermore, the Black Kite platform enriches its monitoring capabilities by incorporating data from a multitude of external sources, ensuring that vendors are tagged and flagged appropriately, and providing a comprehensive view of the vendor’s cyber health and risk exposure.
These tags are triggered by ransomware incidents or data breaches, providing TPRM teams with immediate notifications. By integrating these alerts into their workflows, TPRM professionals can act swiftly to assess and address the impact of a cyber incident on their vendors.
What questions that TPRM Professionals Should Ask Vendors in case of Ransomware
When engaging with a vendor who has experienced a ransomware attack, TPRM professionals should consider the following questions:
- What immediate support can our company provide to assist in your response and recovery efforts?
- Can you detail the scope of the data breach and specify if any of our shared data has been compromised?
- What measures are you taking to contain and remediate the ransomware incident?
- How will this incident affect our digital interactions and the security of our connected systems?
These inquiries help establish a collaborative approach to crisis management and ensure a clear understanding of potential impacts on shared digital ecosystems.
ScreenConnect Vulnerabilities Exploited to Deploy Lockbit Ransomware
The cybersecurity community has been celebrating the shutdown of the largest player in the ransomware cybercrime ecosystem. However, two important zero-day vulnerabilities on ConnectWise’s ScreenConnect products have raised concerns, especially due to their connection to Lockbit ransomware attacks.
What Are the ScreenConnect Vulnerabilities?
In a recent discovery, two significant security vulnerabilities have been identified in ConnectWise’s ScreenConnect, a widely used remote desktop and access software. The vulnerabilities in question are CVE-2024-1708, a Path Traversal Vulnerability with a CVSS score of 8.4, indicating a high severity level, and CVE-2024-1709, an Authentication Bypass Vulnerability, scored at the critical level with a CVSS of 10. The EPSS scores for these vulnerabilities are 16% and 99%, respectively, suggesting a high probability of exploitation in the wild at this moment.
CVE-2024-1708 and CVE-2024-1709 were identified by ConnectWise, highlighting the potential for attackers to remotely execute arbitrary code, gaining unauthorized control over affected systems. These vulnerabilities could be exploited by attackers through sophisticated methods involving CSRF tokens and malicious payloads, posing a significant risk to systems running vulnerable versions of ScreenConnect (versions ≤ 23.9.7). One of these vulnerabilities (CVE-2024-1709) was added to CISA’s Known Exploited Vulnerabilities catalog on February 22, 2024.
Connection with Lockbit Ransomware
Sophos X-Ops has reported that threat actors deployed LockBit ransomware by using the ScreenConnect vulnerabilities to breach victims’ systems. The vulnerabilities CVE-2024-1708 / CVE-2024-1709 are being actively exploited in the wild, and despite law enforcement’s efforts, some LockBit affiliates are still operating.
Huntress, a cybersecurity company, has confirmed Sophos’ findings and revealed that LockBit ransomware attackers have also hit a local government and a healthcare clinic. The malware being deployed is associated with Lockbit, which has a broad reach spanning various affiliate groups and offshoots.
Why TPRM Professionals Should Be Alert
From a Third-Party Risk Management (TPRM) perspective, these vulnerabilities warrant close attention due to the critical role ScreenConnect plays in many organizations’ IT infrastructure. The Authentication Bypass and Path Traversal Vulnerabilities directly threaten the integrity and confidentiality of remote access systems, potentially allowing unauthorized access to sensitive information and system controls. This scenario underscores the importance of maintaining vigilance and implementing robust security measures, especially in products that enable remote access and control over corporate networks.
The involvement of groups like LockBit with vulnerabilities in critical software underscores the evolving threat landscape. TPRM professionals need to consider not only the technical aspects of vulnerabilities, like those in ScreenConnect, but also the broader context of how organized cybercriminal groups may exploit these vulnerabilities. This awareness is essential for developing a comprehensive risk management strategy that addresses both immediate and emerging threats.
Questions for Vendors
When addressing these vulnerabilities with vendors, TPRM professionals should consider asking:
- Have you completed the patching process for CVE-2024-1708 and CVE-2024-1709?
- Can you outline any specific detection mechanisms you have in place for identifying exploitation attempts of CVE-2024-1708 and CVE-2024-1709?
- Given the association of these vulnerabilities with tactics used by groups like LockBit or its remaining members, what impact analysis have you conducted?
Remediation Recommendations
For vendors impacted by these vulnerabilities, immediate action is recommended:
- Update to version 23.9.8 of ScreenConnect, which addresses these vulnerabilities.
- Implement additional security measures such as two-factor authentication (2FA) and CSRF defenses.
- Ensure rigorous monitoring of network traffic for signs of unusual activities, indicative of exploitation attempts.
Leveraging Black Kite for ScreenConnect Vulnerabilities
Black Kite published the Focus Tag on February 20, 2024, with an update following on February 21, 2024, demonstrating swift action in providing critical information to customers. By utilizing Black Kite’s platform, TPRM professionals can effectively identify vendors within their ecosystem that are potentially affected by these vulnerabilities. Black Kite’s detailed asset information, including IP addresses and subdomains at risk, empowers TPRM professionals to precisely target their risk assessment and mitigation efforts, significantly reducing the time and resources typically required for such processes.
This proactive and targeted approach not only enhances the security posture of organizations but also streamlines the vendor risk management process, ensuring that efforts are focused where they are most needed.
Focus on Exchange Server’s Privilege Elevation Vulnerability: CVE-2024-21410
What is the Privilege Elevation Vulnerability in Exchange Server?
CVE-2024-21410 is a critical privilege elevation vulnerability in Microsoft Exchange Server, with a high severity rating (CVSS: 9.8) and a notable likelihood of exploitation (EPSS: 0.71%). This vulnerability allows attackers to exploit NTLM credentials-leaking flaws, potentially gaining full control over the system. It’s particularly concerning because of its exploitation in the wild, indicated by its listing in CISA’s KEV catalog on February 16, 2024. The vulnerability’s exploitation by notable threat actors, including APT28, underscores its significance.
Why Must TPRM Professionals Take Heed?
This vulnerability stands out for TPRM professionals due to the essential role Exchange Server plays in organizational communication. The ability of attackers to elevate privileges and gain system control poses direct threats to the confidentiality and integrity of email communications and organizational data. Understanding the risk and ensuring that vendors have taken steps to mitigate this vulnerability is crucial for protecting sensitive information and maintaining trust.
Key Questions for Vendors
TPRM professionals should ask vendors specific questions regarding CVE-2024-21410, such as:
- Have you assessed your systems for the presence of CVE-2024-21410?
- What measures are in place to mitigate the impact of this vulnerability?
- Can you confirm the application of the Exchange Server 2019 Cumulative Update 14 (CU14) or other relevant mitigations?
- How do you monitor for potential exploitation attempts against this vulnerability?
Remediation Recommendations
Immediate steps for vendors include:
- Applying the Exchange Server 2019 CU14 update or later versions that address this vulnerability.
- Enabling Extended Protection for Authentication (EPA) to mitigate NTLM relay attacks.
- Regularly updating systems and applying security best practices to prevent exploitation.
Utilizing Black Kite for Enhanced Vigilance
Black Kite’s Focus Tag for CVE-2024-21410, published on February 16, 2024, offers a critical advantage for TPRM professionals. By leveraging Black Kite’s detailed asset information, professionals can pinpoint vulnerable systems within their vendor network more efficiently. This capability not only saves time but also significantly enhances the effectiveness of risk management efforts in the face of evolving threats.
Strengthening TPRM with Black Kite’s Focus Tags™ in Dynamic Threat Environments
Black Kite’s Focus Tags™ emerge as a cornerstone in refining TPRM strategies amidst the ever-evolving cyber threat landscape. This week, the spotlight is on the strategic importance of these tags following the Lock bit ransomware shutdown and in addressing vulnerabilities within ScreenConnect and Exchange Server.
- Proactive Risk Identification: Instantly pinpointing at-risk vendors for immediate action.
- Focused Risk Prioritization: Guiding resource allocation based on the criticality of vendors and severity of vulnerabilities.
- Enhanced Vendor Dialogue: Facilitating focused discussions on specific vulnerabilities for more effective risk management.
- Broadened Security Perspectives: Providing a comprehensive view of the threat landscape, vital for developing adaptable cybersecurity strategies.
Leveraging Black Kite’s Focus Tags™, especially in light of recent developments such as the Lockbit ransomware group’s shutdown, empowers TPRM professionals with the insights needed to navigate the complexities of current cybersecurity threats, ensuring a proactive stance in safeguarding against vulnerabilities.
Want to take a closer look at Focus Tags™?
Take our platform for a test drive and request a demo today.
Focus Tags™ in the last 30 days:
- ScreenConnect:CVE-2024-1709, Authentication Bypass Vulnerability
- Cisco ASA [Suspected]CVE-2020-3259, Information Disclosure Vulnerability
- Exchange Server:CVE-2024-21410,Privilege Elevation Vulnerability
- QNAP QTS:CVE-2023-47218, CVE-2023-50358, OS Command Injection Vulnerability
- Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
- FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
- RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
- Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
- Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
- GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
- Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability
- Ivanti ICS: CVE-2024-21887, Command Injection Vulnerability, CVE-2023-46805, Authentication Bypass Vulnerability
- Cacti SQLi: CVE-2023-51448, Blind SQL Injection (SQLi) Vulnerability
- Juniper OS:CVE-2024-21591 [Updated Tag], Remote Code Execution Vulnerability
- Kyocera Device Manager [Suspected]:CVE-2023-50916, Path Traversal Vulnerability
- Apache Tomcat:CVE-2023-46589, Improper Input Validation Vulnerability
References:
- https://www.state.gov/reward-for-information-lockbit-ransomware-as-a-service/
- https://home.treasury.gov/news/press-releases/jy2114
- https://x.com/PRODAFT/status/1760698932005388492?s=20
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://infosec.exchange/@SophosXOps/111975043941611370
- https://www.bleepingcomputer.com/news/security/screenconnect-servers-hacked-in-lockbit-ransomware-attacks/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
- https://www.cisa.gov/news-events/alerts/2024/02/15/cisa-adds-two-known-exploited-vulnerabilities-catalog