Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
ConnectWise ScreenConnect Exploit
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Wayne R. Selk" data-source="post: 8175" data-attributes="member: 224"><p><h3><span style="color: rgb(250, 197, 28)">ACTIONABLE</span> <span style="color: rgb(243, 121, 52)">Severity: Medium</span> <span style="color: rgb(0, 168, 133)">TLP:GREEN </span>ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware</h3><p><strong>Summary:</strong></p><p>Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more. According to cybersecurity analysts at Kroll, North Korean APT group Kimsuky has now joined in the exploitation of these flaws to infect victims with a new malware variant dubbed ToddlerShark. ToddlerShark is believed to be a new variant of the group’s BabyShark and ReconShark backdoors and is mainly designed to harvest/collect system data (hostname, user accounts, active user sessions, running processes, etc) and maintain persistent access to the target system through the help of scheduled tasks. Notable about the malware is its ability to evade detection through the use of legitimate Microsoft binaries such as mshta.exe, which is further used to execute heavily obfuscated VBScripts scripts, making analysis more challenging. ToddlerShark is also capable of modifying the Windows Registry to allow macros to run without triggering alerts and employs randomized strings to alter its structural pattern, rendering signature-based detections ineffective.</p></blockquote><p></p>
[QUOTE="Wayne R. Selk, post: 8175, member: 224"] [HEADING=2][COLOR=rgb(250, 197, 28)]ACTIONABLE[/COLOR] [COLOR=rgb(243, 121, 52)]Severity: Medium[/COLOR] [COLOR=rgb(0, 168, 133)]TLP:GREEN [/COLOR]ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware[/HEADING] [B]Summary:[/B] Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more. According to cybersecurity analysts at Kroll, North Korean APT group Kimsuky has now joined in the exploitation of these flaws to infect victims with a new malware variant dubbed ToddlerShark. ToddlerShark is believed to be a new variant of the group’s BabyShark and ReconShark backdoors and is mainly designed to harvest/collect system data (hostname, user accounts, active user sessions, running processes, etc) and maintain persistent access to the target system through the help of scheduled tasks. Notable about the malware is its ability to evade detection through the use of legitimate Microsoft binaries such as mshta.exe, which is further used to execute heavily obfuscated VBScripts scripts, making analysis more challenging. ToddlerShark is also capable of modifying the Windows Registry to allow macros to run without triggering alerts and employs randomized strings to alter its structural pattern, rendering signature-based detections ineffective. [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
ConnectWise ScreenConnect Exploit
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu