Kroll has uncovered a sophisticated cyberattack leveraging vulnerabilities in ConnectWise ScreenConnect software to deploy a variant of the BabyShark malware dubbed ToddlerShark. This targeted campaign exploits ScreenConnect flaws in the remote access tool to gain unauthorized access and deliver the malicious payload.

Diving into details

The North Korean APT group Kimsuky is reportedly exploiting ScreenConnect flaws—CVE-2024-1708 and CVE-2024-1709—to deploy ToddlerShark for long-term espionage and data exfiltration.

  • The researchers believe that it is a new variant of Kimsuky’s ReconShark and BabyShark backdoors. These were previously used in campaigns aimed at government organizations, universities, and other entities across the U.S., Asia, and Europe. 
  • ToddlerShark uses polymorphic traits, legitimate Microsoft binaries, and registry modifications to establish persistence and gather sensitive information from infected devices.
  • It, furthermore, uses unique C2 URLs, making it challenging to detect.

ScreenConnect bug abuse timeline

The Black Basta and Bl00dy ransomware gangs were also spotted targeting the CVE-2024-1709 bug. It should be noted that this vulnerability has a CVSS score of 10.  
  • In February, Sophos warned that the LockBit ransomware group was exploiting the vulnerabilities.
  • In January, the HHS HC3 issued a warning about attacks on healthcare sector firms using ConnectWise’s ScreenConnect remote access tool. 
  • The warning came after a large pharmacy supply chain using a self-hosted version of ScreenConnect was compromised in 2023, potentially putting other entities at risk.

The bottom line

The number of attackers abusing the ScreenConnect flaws is rising, with each day passing. With a concerted effort to prioritize security updates and by adopting a proactive security stance, organizations can safeguard their systems and data against cyberattacks.