North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

North Korean state-sponsored threat actors were observed using the recently discovered ScreenConnect vulnerabilities to steal sensitive data from their targets. 

A new report from Kroll shared with TechRadar Pro found a group known as Kimsuky (AKA Thallium) abused two flaws found in ConnectWise’s solution to drop ToddleShark, an upgraded version of the group’s other backdoors, BabyShark and ReconShark. 

BabyShark was previously seen on endpoints belonging to government firms, universities, and research centers in the West. While we don’t know who the victims were in this case, it’s safe to assume they’re from the same verticals.

Two ScreenConnect flaws

As for the data Kimsuky obtained this way, the researchers said they grabbed information regarding hostnames, system configuration details, user accounts, active user sessions, network configurations, data on security software, all current network connections, enumeration of running processes, and a list of installed software.

This information, most likely, allows the threat actor to prepare for a more destructive cyberattack. Kimsuky is known for cyber-espionage against government entities. 

To drop ToddleShark, Kimsuky abused two ScreenConnect vulnerabilities: CVE-2024-1709 (authentication bypass flaw), and CVE-2024-1708 (path traversal vulnerability). ConnectWise discovered them late last month, and soon after disclosing the findings, observed them being massively abused. Threat actors from all over the world flocked to take advantage of unpatched endpoints, and drop various malware, and even ransomware. Some researchers said the infamous LockBit group also used the flaws to drop its encryptor.

A company spokesperson said the majority of its clients (80%) use cloud-based environments which were patched within two days.

The exact number of firms affected by the flaws is hard to determine, but the media reported that more than one million SMBs managing over 13 million devices are ConnectWise customers.

ScreenConnect is a remote access platform, allegedly used by more than one million companies around the world. 

In a statement, ConnectWise told TechRadar Pro, "ConnectWise did not experience a data breach, intrusion, or ransomware event but a vulnerability was reported. On February 13th, an independent researcher submitted a potential ScreenConnect vulnerability through our voluntary disclosure process. Once validated, ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours. On February 19th, we released a patch for all on-prem ScreenConnect customers, posted a security bulletin on the ConnectWise Trust Center, and sent patching instructions to ScreenConnect customers. ConnectWise strongly recommends customers immediately patch on-prem instances of ScreenConnect. At this time, ConnectWise and other cybersecurity firms have seen exploits of the ScreenConnect vulnerability on unpatched on-prem instances. However, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing, and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.