Savvy Seahorse Leverages DNS Canonical Names In Financial Scam Campaigns

Description

In February 2024, ConnectWise disclosed serious vulnerabilities (CVE-2024-1708 and CVE-2024-1709) in its ScreenConnect software versions 23.9.7 and earlier, allowing unauthorized access and control. Exploitation of these flaws has led to ransomware attacks, causing significant disruptions. ConnectWise has released critical security patches and urges customers to update to the latest version to mitigate risks. Black Basta, among other groups, exploited these vulnerabilities, deploying Cobalt Strike beacons for reconnaissance and privilege escalation. Another group, utilizing Cobalt Strike payloads, attempted to disable Windows Defender to evade detection. Additionally, the Bl00dy Ransomware group, using leaked builders from Conti and LockBit Black, capitalized on these vulnerabilities, identifying themselves through ransom notes. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Trend Micro and shared publicly https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html