Ransomware groups are now exploiting CVE-2024-1709, a critical authentication bypass flaw affecting ConnectWise’s ScreenConnect remote desktop access application. Researchers have identified several different ransomware groups leveraging the flaw, including LockBit, which was the target of an international takedown operation earlier this week.
Despite a patch being available for several days, IoT search engines such as Shodan show that only 11% of detectable ScreenConnect instances have been updated to the secured version at the time of publishing. The rest remain targets for threat actors armed with multiple easy-to-deploy exploits.
In light of this active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog and issued an order to federal agencies to secure their ScreenConnect servers by February 29.
Source: Bleeping Computer
Analysis
Field Effect has been working with our Managed Service Provider (MSP) partners to identify and contain the risks associated with the recent ScreenConnect vulnerabilities. We have observed multiple incidents where a small number of systems are being compromised due to the exploitation of legacy unpatched (and likely forgotten) ScreenConnect instances installed by third-party contractors or external vendors in clients’ environments.
The compromised ScreenConnect servers are being used to download Remote Access Tools (RATs) such as CobaltStrike on managed clients leading to an immediate attempt to execute ransomware payloads. It's critically important for organizations to check across their environments for older ScreenConnect clients connecting to vulnerable servers and either uninstall, disable these installations, or block external connectivity to the servers.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like ScreenConnect. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users have been automatically notified via the Covalence Portal if a vulnerable version of ScreenConnect was detected in their environment. Furthermore, Covalence users will be notified if any post-exploitation activity related to the ScreenConnect vulnerabilities is detected.
Field Effect strongly encourages users of affected versions of ScreenConnect to install the latest security patch (version 23.9.10.8817) as soon as possible in accordance with ConnectWise’s instructions.
Unknown ScreenConnect installations can be identified by searching within ConnectWise Automate for application names that contain “ScreenConnect” and do not contain an unique installation ID. These installations should be removed if vulnerable.
Additionally, Field Effect also recommends taking the server offline to inspect the Internet Information Services (IIS) logs for the presence of, as well as inspect for any activity with known Indicators of Compromise (IoCs) associated with threat actors exploiting these vulnerabilities.
Related articles
