ConnectWise is now advising that it has observed threat actors exploiting two recent vulnerabilities in its ScreenConnect remote desktop software.
The news comes just a day after the vendor released updates to address CVE-2024-1708, an alternate path/channel authentication bypass, and CVE-2024-1709, an improper pathname limitation vulnerability.
The public availability of proof-of-concept exploit code and technical details regarding the flaws has likely assisted threat actors in their quick abuse. ConnectWise is urging its customers with on-premise servers to install the security patches as soon as possible, while instances hosted on screenconnect[.]com or hostedrmm[.]com have already been updated by the vendor.
Source: Bleeping Computer
Analysis
Field Effect can confirm that it has observed ongoing targeting of unpatched ScreenConnect instances. Our analysis of this activity has revealed that threat actors are leveraging the vulnerabilities to access the ScreenConnect setup wizard to create new ScreenConnect user accounts which are subsequently used to login to the application.
This results in the legitimate administrators being locked out of the system while threat actors use their newly established access to conduct limited post-exploitation activity against systems managed by the ScreenConnect application. Gone unchecked, this could lead to remote code execution, including the deployment of malware or ransomware, and the exfiltration of data from accessible systems.
On February 21, 2024, ConnectWise released version 23.9.10.8817 of ScreenConnect which contains multiple customer experience improvements in addition to addressing reported vulnerabilities. This update was released without license restrictions so that users no longer under maintenance can upgrade to the latest version of ScreenConnect.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like ScreenConnect. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Protect your external attack surface.
Pinpoint cybersecurity risks—including the ScreenConnect vulnerabilities—to your business with a personalized attack surface report.
Get your ASR
Field Effect strongly encourages users of affected versions of ScreenConnect to install the latest security patch (version 23.9.10.8817) as soon as possible in accordance with ConnectWise’s instructions.
Additionally, Field Effect also recommends taking the server offline to inspect the Internet Information Services (IIS) logs for the presence of known Indicators of Compromise (IoCs) associated with threat actors exploiting these vulnerabilities to ensure their ScreenConnect instance wasn’t compromised.
Related articles
