ConnectWise urges organizations utilizing an on-premises set up of the ScreenConnect distant monitoring and administration software program (previously generally known as ConnectWise Management) to replace servers to model 23.9.8 instantly attributable to a crucial distant code execution vulnerability. The ScreenConnect distant desktop product is in danger attributable to a pair of vulnerabilities: CVE-2024-1709 and CVE-2024-1708.
ScreenConnect vulnerabilities below lively exploitation
Cybercriminals can chain the 2 vulnerabilities, leveraging the authentication bypass CVE-2024-1709 first after which shifting by the system with the trail traversal CVE-2024-1708. These vulnerabilities have an effect on ScreenConnect 23.9.7 and all prior ScreenConnect variations. As a result of ScreenConnect supplies distant entry performance, attackers concentrating on ConnectWise ScreenConnect could search to compromise crucial techniques for organizations with on-premises or self-hosted deployments.
These vulnerabilities observe a Cybersecurity and Infrastructure Security Agency (CISA) January advisory that warns a couple of widespread marketing campaign compromising distant monitoring and administration software program, together with ScreenConnect, to realize persistence and management of the goal community. Whereas the earlier marketing campaign used phishing assaults to compromise legit RMM software program, the present vulnerabilities resulting in distant code execution are of extra concern as this software program has beforehand been focused by malicious cybercriminals and superior persistent threats (APTs).
CVE-2024-1709 is a crucial vulnerability with a Frequent Vulnerability Scoring System (CVSS) rating of 10.0, which is the very best rating and signifies an entire breakdown of safety measures that may be instantly exploited. The trail traversal vulnerability has a CVSS rating of 8.4, which signifies a excessive severity threat.
ConnectWise introduced the brand new vulnerabilities alongside a repair of their February 2024 security bulletin, stating the next:
“Vulnerabilities have been reported February 13, 2024, by our vulnerability disclosure channel by way of the ConnectWise Belief Middle. There isn’t a proof that these vulnerabilities have been exploited within the wild, however rapid motion should be taken by on-premise companions to handle these recognized safety dangers.” (ConnectWise)
Regardless of this assurance that ScreenConnect servers weren’t compromised, ConnectWise has acquired experiences of suspicious exercise and offered IP addresses utilized by risk actors as identified indicators of compromise (IoCs). ConnectWise shared that the cloud-based choices, [.rt-script]screenconnect.com[.rt-script] or [.rt-script]hostedrmm.com[.rt-script], have already been secured towards these vulnerabilities.
A number of risk intelligence teams have launched working proof-of-concept exploits (PoCs) that illustrate how hackers can exploit this set of vulnerabilities. The Huntress PoC demonstrates the benefit with which an attacker can compromise the ScreenConnect setup wizard and bypass authentication necessities on an current ScreenConnect server, overwriting the person database with a brand new administrative person. Appending a ahead slash [.rt-script]/[.rt-script] to the [.rt-script]SetupWizard.aspx[.rt-script] request URL bypasses the HTTP request filter that ought to deny new setups on current ScreenConnect servers.
“After you have administrative entry to a compromised occasion, it’s trivial to create and add a malicious ScreenConnect extension to realize Distant Code Execution (RCE).” (Huntress)
If an attacker positive aspects entry to your system, they will exploit CVE-2024-1708 to run arbitrary code and modify current information on the server. Malicious actors could set up malware or ransomware, or they might acquire entry to buyer endpoints accessible within the supplier’s ScreenConnect server.
How to reply to the ScreenConnect vulnerabilities
When you use ScreenConnect, you must instantly apply the safety replace from ConnectWise. As a result of these two vulnerabilities will be mixed by risk actors to realize entry and lateral motion inside your system, it’s crucial to guard towards the vulnerability earlier than an attacker exploits it in your system.
Run the ScreenConnect replace for on-premises servers
The ConnectWise security bulletin instructs organizations to improve to the most recent model of ScreenConnect (23.9.10.8817 on the time of publication). If you’re utilizing model 23.9.8, then your server ought to be protected towards the reported vulnerabilities.
Examine indicators of compromise
Each ConnectWise and risk intelligence researchers have launched potential indicators of compromise recognized throughout investigation into these vulnerabilities. It’s best to consider your server to evaluate whether or not it has been compromised, following your group’s incident response plan for quarantine and restoration if the vulnerabilities in your server have been exploited.
ConnectWise reported that the next IP addresses have been utilized by risk actors:
[.rt-script]155.133.5.15[.rt-script][.rt-script]155.133.5.14[.rt-script][.rt-script]118.69.65.60[.rt-script]
You possibly can moreover use the ScreenConnect audit web page to assessment login makes an attempt for unauthorized customers or IP addresses. Horizon3 and GreyNoise have additionally partnered on a malicious activity tag to watch extra IP addresses that try the bypass exploitation.
The Huntress intelligence staff has offered detection guidance that makes use of the Superior Auditing coverage to log file adjustments indicative of an attacker’s presence on the server. Their suggestion makes use of the Windows Event 4663 to log when the [.rt-script]Person.xml[.rt-script] file is modified, equivalent to when the setup wizard creates new customers. Huntress additionally recognized a malicious [.rt-script]SetUpWizard.aspx[.rt-script] URL path within the Microsoft Web Data Companies (IIS) audit log.
You need to use this info as a place to begin to your investigation although it’s possible you’ll must conduct extra forensic evaluation to find out whether or not your server has been compromised attributable to these vulnerabilities.
Automate steady monitoring throughout your public assault floor
Steady monitoring of your exterior assault floor might help you’re taking proactive measures towards any potential identified and unknown vulnerabilities. UpGuard maintains a vulnerability library for patrons utilizing BreachSight and Vendor Risk to assist organizations establish points that want mitigation. We’re at present monitoring the scenario for extra info. When you or a vendor use ScreenConnect, you must decide whether or not it has been up to date to a safe model.
Able to see
UpGuard in motion?
