North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware

North Korean state-sponsored threat actors were observed using the recently discovered ScreenConnect vulnerabilities to steal sensitive data from their targets. 

A new report from Kroll shared with TechRadar Pro found a group known as Kimsuky (AKA Thallium) abused two flaws found in ConnectWise’s solution to drop ToddleShark, an upgraded version of the group’s other backdoors, BabyShark and ReconShark. 

BabyShark was previously seen on endpoints belonging to government firms, universities, and research centers in the West. While we don’t know who the victims were in this case, it’s safe to assume they’re from the same verticals.

Two ScreenConnect flaws

As for the data Kimsuky obtained this way, the researchers said they grabbed information regarding hostnames, system configuration details, user accounts, active user sessions, network configurations, data on security software, all current network connections, enumeration of running processes, and a list of installed software.

This information, most likely, allows the threat actor to prepare for a more destructive cyberattack. Kimsuky is known for cyber-espionage against government entities. 

To drop ToddleShark, Kimsuky abused two ScreenConnect vulnerabilities: CVE-2024-1709 (authentication bypass flaw), and CVE-2024-1708 (path traversal vulnerability). ConnectWise discovered them late last month, and soon after disclosing the findings, observed them being massively abused. Threat actors from all over the world flocked to take advantage of unpatched endpoints, and drop various malware, and even ransomware. Some researchers said the infamous LockBit group also used the flaws to drop its encryptor.

A company spokesperson said the majority of its clients (80%) use cloud-based environments which were patched within two days.

The exact number of firms affected by the flaws is hard to determine, but the media reported that more than one million SMBs managing over 13 million devices are ConnectWise customers.

ScreenConnect is a remote access platform, allegedly used by more than one million companies around the world. 

More from TechRadar Pro

• The ConnectWise cyberattack just got a whole lot worse
• Here’s a list of the best firewalls around today
• These are the best endpoint security tools right now