ScreenConnect Vulnerabilities Exploited By Threat Operators

ConnectWise ScreenConnect, a widely used remote desktop solution, recently faced security vulnerabilities (CVE-2024-1709, CVE-2024-1708) that allowed threat actors to exploit its server component. This article explores the impact of these vulnerabilities, the types of malware deployed, ConnectWise’s response, and the ongoing efforts to mitigate risks.

Overview of ConnectWise ScreenConnect

ConnectWise ScreenConnect is a remote desktop solution with server and client elements. The server, offered as a service or self-hosted, enables remote access to workstations for technical assistance and data center management.

Vulnerabilities and Patches

The ScreenConnect vulnerabilities, affecting versions up to 23.9.7, include an authentication bypass (CVE-2024-1709) and a path traversal flaw (CVE-2024-1708). ConnectWise promptly patched its cloud environments and urged users to upgrade to version 23.9.8. Subsequent versions (v23.9.10.8817 and v22.4) were released without license restrictions for widespread user access.

Exploitation and Malware

Post-exploit, threat actors exploited CVE-2024-1709 to compromise ScreenConnect servers. Mandiant reported mass exploitation, leading to ransomware, extortion, and various malware deployments. Sophos noted ransomware, infostealers, RATs, worms, and additional remote access clients being utilized. Huntress identified cryptocurrency miners, SSH backdoors, and persistent reverse shells in some attacks.

Investigation and Remediation

Users failing to upgrade face time-consuming investigations to detect compromise, assess network penetration, and clean affected systems. Sophos emphasizes immediate isolation, patching, and scrutiny for signs of compromise. Active attacks against servers and client machines underscore the urgency of prompt remediation.

ConnectWise’s Response and Mitigation

ConnectWise swiftly addressed vulnerabilities, mitigating around 80% of ScreenConnect instances. Continuous communication, hourly reports, and backdated upgrade patches demonstrate a commitment to resolving the issue. The company collaborated with security researchers and removed license restrictions for broader user access to critical patches.

Industry Impact

The vulnerabilities have wider ramifications, with Mandiant identifying “mass exploitation.” Various malware exploits, affecting organizations like UnitedHealth Group’s Change Healthcare, underline the severe consequences. CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, emphasizing the urgency for mitigation.

CISA’s Warning and ConnectWise’s Update

CISA directed ConnectWise partners to disconnect on-prem servers lacking updates by February 29 or apply mitigations as per vendor instructions. ConnectWise took an exceptional step, allowing non-maintenance partners to install critical patches at no cost. However, on-premises partners are strongly advised to upgrade for comprehensive security and product enhancements.

ConnectWise ScreenConnect’s recent vulnerabilities highlight the critical need for robust cybersecurity practices. The response from ConnectWise, security researchers, and relevant agencies reflects the collaborative effort required to address and mitigate such threats swiftly. Users are urged to prioritize system upgrades, remain vigilant against emerging threats, and actively engage in cybersecurity hygiene to safeguard against potential exploits. Our Security Operations Center remains staffed 24/7/365, working in a continuous investigative cycle to respond to unwarranted intrusions at a moment’s notice. Within minutes of engagement, SpearTip can respond to the breach and reclaim networks within hours. Then, we deliver a detailed report for comprehensive understanding. Our incident Response Planning (IRP) provides a comprehensive evaluation of a client’s current IRP. If not currently in place, the Advisory Services team will draft and provide a plan that is unique to the client’s needs and operations. SpearTip’s engineers and analysts within our 24/7/365 Security Operations Center utilize the ShadowSpear Platform to respond to active threats by continuously monitoring your environment. The SOC is built to relieve the burden of cybersecurity from your team by acting and informing organizations. The ShadowSpear Platform is an integrable security solution with the combined capabilities of SIEM, AV, MDR, anti-phishing tools, and much more.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.