Hackers continue to capitalize on ConnectWise ScreenConnect vulnerabilities with another attack reported.
New Malware Threat Emerges: ToddlerShark
A new malware threat has surfaced, known as ToddlerShark, which cybersecurity researchers have linked to North Korean-linked actors such as Kimsuky. This malware, like its counterpart BabyShark, poses a potential threat to U.S. national security think tanks.
ToddlerShark, similar to BabyShark, uses a legitimate Microsoft binary and exhibits polymorphic behavior, making it more difficult to detect. Both malware families are attributed to recent campaigns linked to North Korean cyber threat actors, sometimes associated with Kimsuky or closely related groups.
The malware is known to exploit vulnerabilities in the widely used remote support and remote access platform, ConnectWise ScreenConnect. The critical authentication bypass vulnerability in ScreenConnect, CVE-2024-1709, has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency, highlighting its severity.
This exploitation allows attackers to gain unauthorized remote access to compromised systems, potentially leading to cyber espionage activities. Sophos researchers have also identified attacks using LockBit tools related to the ConnectWise ScreenConnect vulnerabilities.
Kroll Cyber Threat Intelligence researchers announced these findings on Tuesday, adding that ToddlerShark shares similarities with BabyShark, previously identified as targeting U.S. national security think tanks. Trend Micro researchers have also linked Black Basta ransomware and Bloody Ransomware to threat activity targeting vulnerabilities in ScreenConnect.
In a separate incident, a finance company was a target of a suspected ransomware attack involving Play ransomware, related to the ConnectWise ScreenConnect vulnerabilities. LockBit 3.0 has also been used in a suspected supply chain attack related to the ConnectWise ScreenConnect vulnerabilities.
It is crucial to stay vigilant and update security measures to protect against these malware threats. For precise and up-to-date technical details, consulting recent cybersecurity vendor reports or threat intelligence advisories is recommended.
- The cybersecurity community is urging organizations to patch the Critical Authentication bypass vulnerability in ScreenConnect (CVE-2024-1709), as it has been exploited by the new malware threat, ToddlerShark, which shares similarities with the previous malware known as BabyShark.
- In the realm of general news and crime-and-justice, ToddlerShark, a North Korean-linked malware, has been found to exploit vulnerabilities in ScreenConnect, potentially leading to cyber espionage activities and ransomware attacks.
- Kroll Cyber Threat Intelligence and Trend Micro researchers have linked ToddlerShark to various threat actors, including Kimsuky, Black Basta ransomware, Bloody Ransomware, and LockBit, all of which have been observed targeting vulnerabilities in ScreenConnect.
- Data-and-cloud-computing entities should prioritize cybersecurity, considering the emerging threat of malware like ToddlerShark and the potential exploitation of known vulnerabilities such as CVE-2024-1709 in widely used platforms like ScreenConnect.
- The technology sector and national security think tanks should remain vigilant against threats like ToddlerShark and BabyShark, as their polymorphic behavior makes them challenging to detect, potentially leading to significant data breaches and cyber attacks.
