ConnectWise ScreenConnect Faces Attacks Following Critical Bugs - CVE-2024-1708 and CVE-2024-1709

Introduction:

ConnectWise's ScreenConnect, a widely used remote monitoring and management (RMM) software, is currently facing security threats due to two critical vulnerabilities: CVE-2024-1709 and CVE-2024-1708. Malicious actors are actively exploiting these vulnerabilities, prompting a rapid response from ConnectWise in the form of a critical patch. This article offers insights into the vulnerabilities, ongoing exploitation, and guidance for organizations to safeguard their systems.

Vulnerabilities Overview:

ConnectWise has identified two vulnerabilities with significant severity scores: CVE-2024-1709 and CVE-2024-1708. These vulnerabilities, an authentication bypass and a path traversal flaw, impact ScreenConnect servers version 23.9.7 and earlier, posing risks of unauthorized access and remote code execution.

ConnectWise's Response:

ConnectWise has swiftly responded to the critical vulnerabilities by releasing ScreenConnect version 23.9.8 as a patch. While cloud instances have received automatic updates, on-premise users are strongly advised to apply the patch immediately to secure their systems.

Active Exploitation and Attack Landscape:

Reports confirm that threat actors have actively exploited these vulnerabilities, with over 8,800 vulnerable ScreenConnect servers exposed. The attack landscape includes the compromise of ScreenConnect accounts, leading to the delivery of various malware, such as LockBit ransomware, AsyncRAT, password stealers, and Cobalt Strike payloads.

Detection Guidance for ConnectWise CVE-2024-1709:

Further, this article will explain detection guidance, including potential indicators of compromise (IOCs) related to CVE-2024-1709. Organizations are advised to scrutinize the User.xml file, timestamps, and Windows Event ID 4663 events. Despite challenges in definitively identifying exploitation due to limited logging and forensic artifacts on a ScreenConnect server, steps to enhance defense-in-depth measures are further highlighted below.

Indicators of Compromise (IOCs):

File Path: C:\Program Files (x86)\ScreenConnect\App_Data\

File Name: User.xml

Timestamps: Presence of 0001-01-01T00:00:00 indicates potential exploitation.

Windows Event ID 4663: Monitor for modification events on the User.xml file.

ScreenConnect Server Version: Vulnerable versions include 23.9.7 and earlier.

CVE Identifiers: CVE-2024-1708 and CVE-2024-1709.

Exploit Artifacts: Huntress suggests examining IIS logs for evidence of exploit execution.

ConnectWise has identified the following IP IoCs, which were recently used by threat actors:

155.133.5[.]15

155.133.5[.]14

118.69.65[.]60

Recommendations for Users:

Immediate Patching: Upgrade ScreenConnect to version 23.9.8 promptly, especially for on-premise instances.

1. Security Checks: Conduct thorough security assessments, checking for signs of compromise and unauthorized access.

2. Third-Party Vendors: Ensure third-party vendors hosting ScreenConnect have upgraded to version 23.9.8.

3. Endpoint Security: Deploy robust endpoint security measures to detect and prevent potential threats.

4. Threat Hunting: Leverage IOCs and implement threat-hunting practices.

5. User Verification: Confirm the patch status of all servers connected to ScreenConnect clients.

6. Incident Response: Prepare for incident response procedures and monitor for unusual activities.

Conclusion:

The critical vulnerabilities, CVE-2024-1708 and CVE-2024-1709, affecting ConnectWise's ScreenConnect software have evolved into an active and severe threat. The exploitation of these vulnerabilities is well underway, with threat actors compromising numerous ScreenConnect accounts and deploying various forms of malware. ConnectWise's rapid response in releasing version 23.9.8 as a critical patch underscores the urgency of applying updates, particularly for on-premise instances.

In conclusion, organizations using ScreenConnect are strongly urged to act promptly, applying the critical patch, conducting security checks, and enhancing overall cybersecurity measures. The collaboration of cybersecurity researchers, ConnectWise, and organizations in swiftly addressing this security incident is crucial to mitigating the risks and securing systems against ongoing and potential future exploitation.