New vulnerabilities in ConnectWise ScreenConnect massively exploited by attackers


Two new vulnerabilities affect ConnectWise ScreenConnect, the remote desktop and access software used for support: CVE-2024-1709 and CVE-2024-1708, with the former being particularly dangerous for organizations.

CVE-2024-1709, affecting ScreenConnect 23.9.7 and earlier, allows any remote attacker to bypass authentication to delete the ScreenConnect user database and gain control of an administrator user. Massive exploitation by attackers continues in the wild, with more than 3,000 vulnerable instances accessible from the Internet. Security companies have observed ransomware, information stealers, and Cobalt Strike payloads, to name a few, being installed after successfully exploiting the vulnerability.

The CVE-2024-1708 vulnerability, which is not as severe as CVE-2024-1709, allows path traversal, allowing an attacker to access files and directories that should not be accessible.

Technical details about the ScreenConnect vulnerability CVE-2024-1709

The American cybersecurity company Huntress published technical details about the ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709, the latter being particularly dangerous because a simple request to a special path on exposed instances allows an attacker to connect to the configuration wizard . of the instance (Figure A).

Figure A: Unauthenticated access to the ScreenConnect setup wizard. Image: Hunter

As the Huntress researchers explained, the setup wizard is responsible for setting up the initial administrator user and installing a license on the system. The Huntress team wrote: “The user creation portion of this setup occurs immediately after clicking the 'Next' button on the setup page, so there is no need to complete the entire setup wizard to exploit the system”. If an attacker completes this step, the internal user database will be completely overwritten and all local users will be deleted, leaving only the attacker as the administrator of the instance.

Once this is done, it is trivial to create and load a malicious ScreenConnect extension to obtain full remote code execution on the instance, according to the researchers.

Another vulnerability, CVE-2024-1708, has also been reported, which is a less serious vulnerability that allows path traversal.

Mass exploitation of CVE-2024-1709 in the wild has begun

A proof of concept to exploit CVE-2024-1709 was posted on GitHub, showing how to add a new user to the compromised system.

Cybersecurity company Sophos observed several attacks on February 21, 2024, in which attackers dropped ransomware created with the LockBit authoring tool on the networks of 30 customers. Important note: Using the LockBit ransomware creation tool does not mean you have ties to the LockBit developers, especially when the LockBit infrastructure was recently removed. Any cybercriminal with access to the builder can be behind those attacks, and the ransom note observed by Sophos mentioned the “buthtiRansom” variant. Sophos stated that another ransomware based on the LockBit builder called “LockBit Black” was observed but was not deployed in the customer's environment.

Cobalt Strike Password Stealers, RATs, and Payloads

Cybersecurity attacks other than ransomware are currently affecting exposed vulnerable instances of ScreenConnect; For example, password stealers (such as Vidar/Redline) or RATs (such as AsyncRAT) have also been observed following the exploitation of the CVE-2024-1709 vulnerability.

Cobalt Strike payloads have also affected exposed ScreenConnect instances. Sophos saw three similar attacks that dropped a .cmd file in the temporary folder where ScreenConnect downloads files before executing it. The cmd attempted to start PowerShell to download an additional payload, but failed due to endpoint protection.

Thousands of ScreenConnect instances exposed, mostly on US IP addresses

ONYPHE, a French cyber defense search engine dedicated to the discovery and management of attack surfaces, provided TechRepublic with statistics on exposed ScreenConnect instances.

Between February 19 and February 25, 2024, ONYPHE saw 5,731 unique ScreenConnect IP addresses exposed, of which 3,284 were vulnerable to CVE-2024-1709. The majority of those instances are running on US IP addresses (66.12%), followed by Canada (7.84%) and the UK (7.35%).Figure B).

Percentage of IP addresses exposed by country.
Figure B: Percentage of exposed IP addresses by country. Image: ONYPHE

How to Protect Yourself from Exploitation Through These ConnectWise ScreenConnect Vulnerabilities

How to detect exploitation of these ConnectWise ScreenConnect vulnerabilities

In terms of detection, searching for the pattern “/SetupWizard.aspx/” in the server logs may indicate an attempted attack. The “%ProgramFiles(x86)%ScreenConnectApp_Extensions” folder should also be monitored as it could be used to store and execute attacker payloads.

SEE: Download this TechRepublic Premium Incident Reporting and Response Procedures Policy

How to Protect Your Business from These ConnectWise ScreenConnect Exploits

ConnectWise stated in their February 23, 2024 security bulletin that they “have taken an exceptional step to assist partners who are no longer in maintenance by making them eligible to install version 22.4 at no additional cost, which will address CVE-2024-1709 “.

ConnectWise recommends local partners immediately update ScreenConnect to 23.9.8 or higher to address reported vulnerabilities. ConnectWise has also implemented an additional mitigation step for unpatched local users that suspends an instance if it is not on version 23.9.8 or later.

Cloud partners receive remedial action against vulnerabilities reported by ConnectWise. Local partners are recommended to immediately upgrade to the latest version of ScreenConnect. ConnectWise has removed licensing restrictions, so partners who are no longer supported can upgrade to the latest version of ScreenConnect.

Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.

scroll to top