Subj : North Korean hacking group attacks ScreenConnect flaws to drop da To : All From : TechnologyDaily Date : Tue Mar 05 2024 16:00:05 North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware Date: Tue, 05 Mar 2024 15:44:40 +0000 Description: BabyShark has grown into ToddleShark, and can now grab all kinds of sensitive data. FULL STORY ====================================================================== North Korean state-sponsored threat actors were observed using the recently discovered ScreenConnect vulnerabilities to steal sensitive data from their targets. A new report from Kroll shared with TechRadar Pro found a group known as Kimsuky (AKA Thallium) abused two flaws found in ConnectWises solution to drop ToddleShark, an upgraded version of the groups other backdoors, BabyShark and ReconShark. BabyShark was previously seen on endpoints belonging to government firms, universities, and research centers in the West. While we dont know who the victims were in this case, its safe to assume theyre from the same verticals. Two ScreenConnect flaws As for the data Kimsuky obtained this way, the researchers said they grabbed information regarding hostnames, system configuration details, user accounts, active user sessions, network configurations, data on security software, all current network connections, enumeration of running processes, and a list of installed software. This information, most likely, allows the threat actor to prepare for a more destructive cyberattack. Kimsuky is known for cyber-espionage against government entities. To drop ToddleShark, Kimsuky abused two ScreenConnect vulnerabilities: CVE-2024-1709 (authentication bypass flaw), and CVE-2024-1708 (path traversal vulnerability). ConnectWise discovered them late last month, and soon after disclosing the findings, observed them being massively abused. Threat actors from all over the world flocked to take advantage of unpatched endpoints, and drop various malware , and even ransomware. Some researchers said the infamous LockBit group also used the flaws to drop its encryptor. A company spokesperson said the majority of its clients (80%) use cloud-based environments which were patched within two days. The exact number of firms affected by the flaws is hard to determine, but the media reported that more than one million SMBs managing over 13 million devices are ConnectWise customers. ScreenConnect is a remote access platform, allegedly used by more than one million companies around the world. More from TechRadar Pro The ConnectWise cyberattack just got a whole lot worse Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/north-korean-hacking-group-attacks-scre enconnect-flaws-to-drop-dangerous-new-malware --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .