Hackers capitalizing on a fresh vulnerability in ConnectWise ScreenConnect, another instance of cyber misuse encountered.
New Malware, ToddlerShark, Exploits ConnectWise ScreenConnect Vulnerabilities
A new malware, ToddlerShark, has been identified by Kroll Cyber Threat Intelligence that exploits security flaws in ConnectWise ScreenConnect software. The name ToddlerShark suggests a connection or evolution from earlier malware named BabyShark, implying a thematic or technical lineage in their development or targeting methods.
ToddlerShark specifically targets the ScreenConnect vulnerabilities, including the critical authentication bypass vulnerability, CVE-2024-1709, to infect systems. This malware has been linked to the North Korean APT group Kimsuky, who have actively exploited these ScreenConnect flaws to deploy it. Kimsuky is known for cyber espionage and advanced persistent threats, indicating that ToddlerShark is part of broader offensive campaigns leveraging these vulnerabilities.
The attacks using ToddlerShark are not limited to a single industry or supply chain. Trend Micro researchers have linked Black Basta ransomware to threat activity targeting ConnectWise ScreenConnect vulnerabilities, but specific details about a supply chain attack or a ransomware attack against a particular industry are not available. At-Bay researchers have also linked Play ransomware to threat activity targeting ConnectWise ScreenConnect vulnerabilities.
Sophos researchers identified attacks using LockBit tools, but it is not clear whether these attacks involved LockBit 3.0. The malware in the ToddlerShark attack used a legitimate Microsoft binary and exhibited polymorphic behavior, making it more difficult to detect.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to the Known Exploited Vulnerabilities catalog, indicating a high severity of the vulnerability with a CVSS score of 10. Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, with a particular interest in determining whether they are a target.
BabyShark malware is linked to a group tracked by Kroll researchers as KTA082, also known as Kimsuky. This group has been identified as targeting U.S. national security think tanks. ToddlerShark shares similarities with BabyShark malware, suggesting an ongoing campaign or related toolsets.
Multiple criminal threat groups are targeting the ConnectWise ScreenConnect vulnerabilities, which were originally disclosed in February. It is crucial for organisations using this software to patch these vulnerabilities and stay vigilant against potential threats.
- The new malware, ToddlerShark, identified by Kroll Cyber Threat Intelligence, shares similarities with BabyShark malware, implying a potential ongoing campaign or related toolsets.
- ToddlerShark specifically targets the ScreenConnect vulnerabilities, including the critical authentication bypass vulnerability, CVE-2024-1709, which has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA).
- The North Korean APT group Kimsuky, known for cyber espionage and advanced persistent threats, has been linked to ToddlerShark, suggesting that it is part of broader offensive campaigns leveraging these vulnerabilities.
- In addition to ToddlerShark, other malware such as Black Basta ransomware, Play ransomware, and malware using LockBit tools have been linked to threat activity targeting ConnectWise ScreenConnect vulnerabilities, highlighting the significance of cybersecurity in finance and technology sectors.
