TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
Contents
Threat Intelligence
ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
by Keith Wojcieszek, George Glass, Dave Truman
Tue, Mar 5, 2024
Key Takeaways
The Kroll CTI team observed a campaign using a new malware that appears to be very similar to BABYSHARK, previously reported to have been developed and used by the APT group Kimsuky (KTA082).
The malware was deployed as part of an attempted compromise that was detected and stopped by the Kroll Responder team. The activity started with exploitation of a recently addressed authentication bypass in the remote desktop software ScreenConnect, developed by ConnectWise.
Two critical vulnerabilities, tracked as CVE-2024-1708 and CVE-2024-1709, were recently addressed in ConnectWise ScreenConnect and have been exploited by many threat actors due to its ease of exploitability.
CVE-2024-1709 (CVSS:10) can allow for authentication bypass due to insufficient path filtering. This is possible because any string can be appended after the extension to allow for bypassing.
CVE-2023-1708 (CVSS:8.4) is a path traversal vulnerability that …
ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
by Keith Wojcieszek, George Glass, Dave Truman
Tue, Mar 5, 2024
Key Takeaways
The Kroll CTI team observed a campaign using a new malware that appears to be very similar to BABYSHARK, previously reported to have been developed and used by the APT group Kimsuky (KTA082).
The malware was deployed as part of an attempted compromise that was detected and stopped by the Kroll Responder team. The activity started with exploitation of a recently addressed authentication bypass in the remote desktop software ScreenConnect, developed by ConnectWise.
Two critical vulnerabilities, tracked as CVE-2024-1708 and CVE-2024-1709, were recently addressed in ConnectWise ScreenConnect and have been exploited by many threat actors due to its ease of exploitability.
CVE-2024-1709 (CVSS:10) can allow for authentication bypass due to insufficient path filtering. This is possible because any string can be appended after the extension to allow for bypassing.
CVE-2023-1708 (CVSS:8.4) is a path traversal vulnerability that …