ConnectWise urges organizations utilizing an on-premises set up of the ScreenConnect distant monitoring and administration software program (previously often known as ConnectWise Management) to replace servers to model 23.9.8 instantly resulting from a essential distant code execution vulnerability. The ScreenConnect distant desktop product is in danger resulting from a pair of vulnerabilities: CVE-2024-1709 and CVE-2024-1708.
ScreenConnect vulnerabilities beneath lively exploitation
Cybercriminals can chain the 2 vulnerabilities, leveraging the authentication bypass CVE-2024-1709 first after which shifting by the system with the trail traversal CVE-2024-1708. These vulnerabilities have an effect on ScreenConnect 23.9.7 and all prior ScreenConnect variations. As a result of ScreenConnect gives distant entry performance, attackers concentrating on ConnectWise ScreenConnect might search to compromise essential methods for organizations with on-premises or self-hosted deployments.
These vulnerabilities observe a Cybersecurity and Infrastructure Safety Company (CISA) January advisory that warns a few widespread marketing campaign compromising distant monitoring and administration software program, together with ScreenConnect, to realize persistence and management of the goal community. Whereas the earlier marketing campaign used phishing assaults to compromise reputable RMM software program, the present vulnerabilities resulting in distant code execution are of extra concern as this software program has beforehand been focused by malicious cybercriminals and superior persistent threats (APTs).
CVE-2024-1709 is a essential vulnerability with a Frequent Vulnerability Scoring System (CVSS) rating of 10.0, which is the best rating and signifies an entire breakdown of safety measures that may be instantly exploited. The trail traversal vulnerability has a CVSS rating of 8.4, which signifies a excessive severity danger. CVE-2024-1709 is a part of the CISAÂ Recognized Exploited Vulnerabilities (KEV) catalog.
ConnectWise introduced the brand new vulnerabilities alongside a repair of their February 2024 safety bulletin, stating the next:
“Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center. There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks.” (ConnectWise)
Regardless of this assurance that ScreenConnect servers weren’t compromised, ConnectWise has obtained studies of suspicious exercise and supplied IP addresses utilized by risk actors as recognized indicators of compromise (IoCs). ConnectWise shared that the cloud-based choices, [.rt-script]screenconnect.com[.rt-script] or [.rt-script]hostedrmm.com[.rt-script], have already been secured in opposition to these vulnerabilities.
A number of risk intelligence teams have launched working proof-of-concept exploits (PoCs) that illustrate how hackers can exploit this set of vulnerabilities. The Huntress PoC demonstrates the convenience with which an attacker can compromise the ScreenConnect setup wizard and bypass authentication necessities on an current ScreenConnect server, overwriting the consumer database with a brand new administrative consumer. Appending a ahead slash [.rt-script]/[.rt-script] to the [.rt-script]SetupWizard.aspx[.rt-script] request URL bypasses the HTTP request filter that ought to deny new setups on current ScreenConnect servers.
“Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE).” (Huntress)
If an attacker positive aspects entry to your system, they will exploit CVE-2024-1708 to run arbitrary code and modify current information on the server. Malicious actors might set up malware or ransomware, or they might achieve entry to buyer endpoints out there within the supplier’s ScreenConnect server.
How to answer the ScreenConnect vulnerabilities
In case you use ScreenConnect, it’s best to instantly apply the safety replace from ConnectWise. As a result of these two vulnerabilities might be mixed by risk actors to realize entry and lateral motion inside your system, it’s essential to guard in opposition to the vulnerability earlier than an attacker exploits it in your system.
Run the ScreenConnect replace for on-premises servers
The ConnectWise safety bulletin instructs organizations to improve to the most recent model of ScreenConnect (23.9.10.8817 on the time of publication). If you’re utilizing model 23.9.8, then your server needs to be protected in opposition to the reported vulnerabilities.
Examine indicators of compromise
Each ConnectWise and risk intelligence researchers have launched potential indicators of compromise recognized throughout investigation into these vulnerabilities. You must consider your server to evaluate whether or not it has been compromised, following your group’s incident response plan for quarantine and restoration if the vulnerabilities in your server had been exploited.
ConnectWise reported that the next IP addresses had been utilized by risk actors:
[.rt-script]155.133.5.15[.rt-script][.rt-script]155.133.5.14[.rt-script][.rt-script]118.69.65.60[.rt-script]
You may moreover use the ScreenConnect audit web page to overview login makes an attempt for unauthorized customers or IP addresses. Horizon3 and GreyNoise have additionally partnered on a malicious exercise tag to observe extra IP addresses that try the bypass exploitation.
The Huntress intelligence crew has supplied detection steerage that makes use of the Superior Auditing coverage to log file adjustments indicative of an attacker’s presence on the server. Their advice makes use of the Home windows Occasion 4663 to log when the [.rt-script]Person.xml[.rt-script] file is modified, corresponding to when the setup wizard creates new customers. Huntress additionally recognized a malicious [.rt-script]SetUpWizard.aspx[.rt-script] URL path within the Microsoft Web Data Providers (IIS) audit log.
You should utilize this data as a place to begin to your investigation although chances are you’ll have to conduct extra forensic evaluation to find out whether or not your server has been compromised resulting from these vulnerabilities.
Automate steady monitoring throughout your public assault floor
Steady monitoring of your exterior assault floor may also help you are taking proactive measures in opposition to any potential recognized and unknown vulnerabilities. Cybersecurity maintains a vulnerability library for patrons utilizing Breach Danger and Vendor Danger to assist organizations establish points that want mitigation. In case you or a vendor use ScreenConnect, it’s best to decide whether or not it has been up to date to a safe model.
Cybersecurity customers can seek for CVE-2024-1709 within the Vulnerabilities module to establish whether or not ScreenConnect poses a danger, or you possibly can seek for ScreenConnect by title within the Portfolio Danger Profile.
Cybersecurity customers who seek for the ScreenConnect discovering will likely be knowledgeable of those vulnerabilities.
Prepared to save lots of time and streamline your belief administration course of?
