Two new vulnerabilities influence ConnectWise ScreenConnect, distant desktop and entry software program used for assist: CVE-2024-1709 and CVE-2024-1708, with the previous being significantly harmful for organizations.
The CVE-2024-1709 vulnerability, which impacts ScreenConnect 23.9.7 and prior, permits any distant attacker to bypass authentication to delete the ScreenConnect person database and get management of an admin person. Large exploitation by attackers is ongoing within the wild, with greater than 3,000 weak situations reachable from the web. Safety corporations have noticed ransomware, data stealers and Cobalt Strike payloads, to call just a few, being put in after profitable exploitation of the vulnerability.
The CVE-2024-1708 vulnerability, which isn’t as extreme as CVE-2024-1709, permits path traversal, which permits an attacker to entry information and directories that shouldn’t be accessible.
Technical particulars concerning the ScreenConnect CVE-2024-1709 vulnerability
U.S.-based cybersecurity firm Huntress launched technical particulars concerning the ScreenConnect CVE-2024-1708 and CVE-2024-1709 vulnerabilities, the latter being significantly harmful as a result of a easy request to a particular path on uncovered situations permits an attacker to hook up with the setup wizard of the occasion (Determine A).
As defined by Huntress researchers, the setup wizard is chargeable for establishing the preliminary admin person and putting in a license on the system. The Huntress workforce wrote, “The person creation portion of this setup occurs instantly after clicking the ‘Subsequent’ button on the setup web page, so there isn’t any want to finish the setup wizard totally to take advantage of the system.” If an attacker completes this step, the inner person database will likely be totally overwritten, and all native customers will likely be deleted, leaving solely the attacker as administrator of the occasion.
As soon as that is executed, it’s trivial to create and add a malicious ScreenConnect extension to realize full distant code execution on the occasion, in keeping with the researchers.
One other vulnerability has additionally been reported, CVE-2024-1708, which is a less-severe vulnerability permitting path traversal.
Large exploitation of CVE-2024-1709 within the wild has began
Proof of idea for exploiting CVE-2024-1709 has been revealed on GitHub, exhibiting the best way to add a brand new person to the compromised system.
Cybersecurity firm Sophos noticed a number of assaults on Feb. 21, 2024, with attackers dropping ransomware constructed with the LockBit builder software on 30 buyer networks. Essential word: The usage of the LockBit ransomware builder software doesn’t imply that it has ties with the LockBit builders, particularly when the LockBit infrastructure was just lately taken down. Any cybercriminal with entry to the builder will be behind these assaults, and the ransom word noticed by Sophos talked about the “buthtiRansom” variant. Sophos said that one other ransomware primarily based on the LockBit builder referred to as “LockBit Black” was noticed however did not deploy in a buyer surroundings.
Password stealers, RATs and Cobalt Strike payloads
Cybersecurity assaults apart from ransomware are presently hitting the uncovered weak situations of ScreenConnect; for example, password stealers (similar to Vidar/Redline) or RATs (similar to AsyncRAT) have additionally been noticed within the wild after exploitation of the CVE-2024-1709 vulnerability.
Cobalt Strike payloads have additionally hit uncovered ScreenConnect situations. Sophos noticed three comparable assaults dropping a .cmd file within the momentary folder the place ScreenConnect downloads information earlier than executing it. The cmd tried to launch PowerShell to obtain an extra payload however failed attributable to endpoint safety.
Hundreds of uncovered ScreenConnect situations, totally on U.S.-based IP addresses
ONYPHE, a French cyber protection search engine devoted to assault floor discovery & assault floor administration, offered TechRepublic with statistics about uncovered ScreenConnect situations.
Between Feb. 19-25, 2024, ONYPHE noticed 5,731 uncovered ScreenConnect distinctive IP addresses, with 3,284 of these being weak to CVE-2024-1709. Most of these situations are working on U.S.-based IP addresses (66.12%), adopted by Canada (7.84%) and the U.Okay. (7.35%) (Determine B).
Find out how to shield from exploitation by way of these ConnectWise ScreenConnect vulnerabilities
Find out how to detect exploitation of those ConnectWise ScreenConnect vulnerabilities
Relating to detection, trying to find the sample “/SetupWizard.aspx/” in server logs would possibly point out an assault try. The “%ProgramFiles(x86)%ScreenConnectApp_Extensions” folder must also be monitored, because it is perhaps used for storing and executing attackers’ payloads.
Find out how to shield your corporation from these ConnectWise ScreenConnect exploits
ConnectWise indicated in its safety bulletin on Feb. 23, 2024 that “they’ve taken an exception step to assist companions now not beneath upkeep by making them eligible to put in model 22.4 at no further value, which can repair CVE-2024-1709.”
SEE: Obtain this Incident Reporting and Response Procedures Coverage from TechRepublic Premium
ConnectWise recommends on-premise companions instantly replace ScreenConnect to 23.9.8 or greater to remediate reported vulnerabilities. ConnectWise has additionally rolled out an extra mitigation step for unpatched, on-premise customers that suspends an occasion if it isn’t on model 23.9.8 or later.
Cloud companions are remediated towards the vulnerabilities reported by ConnectWise. On-prem companions are suggested to right away improve to the newest model of ScreenConnect. ConnectWise has eliminated license restrictions, so companions now not beneath upkeep can improve to the newest model of ScreenConnect.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.
