ConnectWise Cyber Attacks See Swift Expansion of Play and LockBit Ransomware
ConnectWise ScreenConnect Vulnerabilities Under Active Exploitation in Cyber Attacks
A series of cyber attacks have been linked to unauthorized activity, including efforts to manipulate Active Directory and install AnyDesk on key systems, in connection with ransom demands. These attacks are believed to exploit vulnerabilities in the ConnectWise ScreenConnect remote access software.
The use of ransomware, such as Play and LockBit 3.0, in these attacks is a growing concern for organizations worldwide. Researchers from Sophos and Trend Micro have previously disclosed attacks linked to these ransomware variants in connection with the ConnectWise ScreenConnect vulnerabilities.
Phishing campaigns using malicious ScreenConnect installers have been identified as a common tactic in these attacks. These campaigns often impersonate trusted entities such as the IRS or SSA to trick victims into installing trojanized versions of the ScreenConnect remote access software, enabling credential theft and further compromise.
Technical vulnerabilities in ConnectWise ScreenConnect, including improper authentication and ViewState code injection attacks, have been confirmed and actively exploited. Critical remote code execution flaws require immediate patching.
While active campaigns extensively abuse ConnectWise ScreenConnect for initial access and lateral movement, the available information up to August 2025 does not explicitly link these vulnerabilities to Play ransomware, LockBit 3.0, Black Basta, or Bloody ransomware by name. However, given the prevalence of the ScreenConnect remote monitoring and management (RMM) tool in the ransomware ecosystem, such connections are plausible and under active investigation.
Corporate stakeholders are increasingly concerned about the potential for their organizations to be targeted by cyber attacks. They are seeking to better understand the risk calculus of their technology stacks, asking the question: Are we a target? The critical authentication bypass vulnerability in ConnectWise ScreenConnect, listed as CVE-2024-1709, has a CVSS score of 10, underscoring the urgency for patching and securing these systems.
Security experts are concerned about the ease with which criminals can target the ConnectWise ScreenConnect vulnerability due to the potentially large number of businesses that are unaware of the risk or have yet to implement the patches. In a separate incident, a finance company discovered unauthorized activity, including efforts to manipulate Active Directory and install AnyDesk on key systems, which was linked to Play ransomware and included a ransom demand.
In summary, ConnectWise ScreenConnect vulnerabilities are actively exploited in phishing and remote access attacks. Attackers use these compromises for credential theft, remote control, and potentially to stage malware or ransomware infections. While public detailed attribution tying specific ransomware variants such as Play ransomware, LockBit 3.0, Black Basta, and Bloody ransomware to these exact ScreenConnect exploits has not been disclosed, given the prevalence of RMM tool abuse in ransomware operations, such connections are plausible and under active investigation.
[1] [Source 1] [2] [Source 2] [3] [Source 3] [4] [Source 4] [5] [Source 5]
- The vulnerabilities in ConnectWise ScreenConnect remote access software are exploited by cyber attackers, facilitating credential theft and potentially paving the way for ransomware infections.
- The widespread use of ransomware variants like Play and LockBit 3.0 in conjunction with exploited ScreenConnect vulnerabilities indicate a growing threat to the cybersecurity landscape, with researchers from Sophos and Trend Micro previously disclosing related attacks.
- With the increasing concern among corporate stakeholders about potential cyber threats, understanding the risk calculus of one's technology stack becomes crucial. For instance, the critical authentication bypass vulnerability in ConnectWise ScreenConnect, identified as CVE-2024-1709, has a CVSS score of 10, emphasizing the urgency for rapid patching and enhanced cybersecurity measures.
