Two new vulnerabilities influence ConnectWise ScreenConnect, distant desktop and entry software program used for help: CVE-2024-1709 and CVE-2024-1708, with the previous being notably harmful for organizations.
The CVE-2024-1709 vulnerability, which impacts ScreenConnect 23.9.7 and prior, permits any distant attacker to bypass authentication to delete the ScreenConnect person database and get management of an admin person. Massive exploitation by attackers is ongoing within the wild, with greater than 3,000 susceptible cases reachable from the web. Security firms have noticed ransomware, data stealers and Cobalt Strike payloads, to call a number of, being put in after profitable exploitation of the vulnerability.
The CVE-2024-1708 vulnerability, which isn’t as extreme as CVE-2024-1709, permits path traversal, which permits an attacker to entry information and directories that shouldn’t be accessible.
Technical particulars in regards to the ScreenConnect CVE-2024-1709 vulnerability
U.S.-based cybersecurity firm Huntress launched technical particulars in regards to the ScreenConnect CVE-2024-1708 and CVE-2024-1709 vulnerabilities, the latter being notably harmful as a result of a easy request to a particular path on uncovered cases permits an attacker to connect with the setup wizard of the occasion (Figure A).
As defined by Huntress researchers, the setup wizard is chargeable for establishing the preliminary admin person and putting in a license on the system. The Huntress workforce wrote, “The user creation portion of this setup happens immediately after clicking the ‘Next’ button on the setup page, so there is no need to complete the setup wizard fully to exploit the system.” If an attacker completes this step, the interior person database shall be totally overwritten, and all native customers shall be deleted, leaving solely the attacker as administrator of the occasion.
Once that is achieved, it’s trivial to create and add a malicious ScreenConnect extension to achieve full distant code execution on the occasion, based on the researchers.
Another vulnerability has additionally been reported, CVE-2024-1708, which is a less-severe vulnerability permitting path traversal.
Massive exploitation of CVE-2024-1709 within the wild has began
Proof of idea for exploiting CVE-2024-1709 has been revealed on GitHub, displaying how one can add a brand new person to the compromised system.
Cybersecurity firm Sophos noticed a number of assaults on Feb. 21, 2024, with attackers dropping ransomware constructed with the LockBit builder software on 30 buyer networks. Important observe: The use of the LockBit ransomware builder software doesn’t imply that it has ties with the LockBit builders, particularly when the LockBit infrastructure was lately taken down. Any cybercriminal with entry to the builder could be behind these assaults, and the ransom observe noticed by Sophos talked about the “buthtiRansom” variant. Sophos acknowledged that one other ransomware primarily based on the LockBit builder referred to as “LockBit Black” was noticed however did not deploy in a buyer surroundings.
Password stealers, RATs and Cobalt Strike payloads
Cybersecurity assaults apart from ransomware are at the moment hitting the uncovered susceptible cases of ScreenConnect; as an illustration, password stealers (similar to Vidar/Redline) or RATs (similar to AsyncRAT) have additionally been noticed within the wild after exploitation of the CVE-2024-1709 vulnerability.
Cobalt Strike payloads have additionally hit uncovered ScreenConnect cases. Sophos noticed three comparable assaults dropping a .cmd file within the short-term folder the place ScreenConnect downloads information earlier than executing it. The cmd tried to launch PowerShell to obtain a further payload however failed attributable to endpoint safety.
Thousands of uncovered ScreenConnect cases, totally on U.S.-based IP addresses
ONYPHE, a French cyber protection search engine devoted to assault floor discovery & assault floor administration, supplied TechRepublic with statistics about uncovered ScreenConnect cases.
Between Feb. 19-25, 2024, ONYPHE noticed 5,731 uncovered ScreenConnect distinctive IP addresses, with 3,284 of these being susceptible to CVE-2024-1709. Most of these cases are operating on U.S.-based IP addresses (66.12%), adopted by Canada (7.84%) and the U.Ok. (7.35%) (Figure B).
How to guard from exploitation by way of these ConnectWise ScreenConnect vulnerabilities
How to detect exploitation of those ConnectWise ScreenConnect vulnerabilities
Regarding detection, looking for the sample “/SetupWizard.aspx/” in server logs may point out an assault try. The “%ProgramFiles(x86)%ScreenConnectApp_Extensions” folder also needs to be monitored, because it could be used for storing and executing attackers’ payloads.
How to guard your online business from these ConnectWise ScreenConnect exploits
ConnectWise indicated in its safety bulletin on Feb. 23, 2024 that “they have taken an exception step to support partners no longer under maintenance by making them eligible to install version 22.4 at no additional cost, which will fix CVE-2024-1709.”
SEE: Download this Incident Reporting and Response Procedures Policy from TechRepublic Premium
ConnectWise recommends on-premise companions instantly replace ScreenConnect to 23.9.8 or increased to remediate reported vulnerabilities. ConnectWise has additionally rolled out a further mitigation step for unpatched, on-premise customers that suspends an occasion if it’s not on model 23.9.8 or later.
Cloud companions are remediated towards the vulnerabilities reported by ConnectWise. On-prem companions are suggested to right away improve to the newest model of ScreenConnect. ConnectWise has eliminated license restrictions, so companions now not underneath upkeep can improve to the newest model of ScreenConnect.
Disclosure: I work for Trend Micro, however the views expressed on this article are mine.