ConnectWise ScreenConnect Exploit

For the ISAO, we have some extensive network traffic monitoring capabilities deployed and have found a common set of SourceIPs responsible for much of the footprinting activity that has has been targeted against locating vulnerable ScreenConnect servers. Our observations have been in lock-step with the observations posted on reddit in r/msp - same source blocks doing the scanning. I've provided this list below for reference, since I've not seen any specific technical data in this forum. This morning, the pattern changed and we now see new source netblocks in the mix:

198.74.56.0/24
192.155.88[.]231
138.197.15[.]3
45.79.163[.]53

Baseline list from r/msp
Malicious IPs targeting SC Servers:
45.66.228[.]0/22
45.89.244[.]0/22
91.92.240[.]0/20
93.123.39[.]0/24
93.123.40[.]0/21
93.123.48[.]0/20
93.123.64[.]0/22
94.156.0[.]0/21
94.156.8[.]0/24
94.156.64[.]0/20
94.156.80[.]0/21
147.78.100[.]0/22
185.216.68[.]0/22
  • Like
Reactions: Lisa Person

ConnectWise ScreenConnect Exploit

Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidance for customers, researchers, investigators and incident responders. This information is based on observation and analysis of attacks by SophosLabs, Sophos Managed Detection and Response (MDR) and Sophos Incident Response (IR), in which the ScreenConnect client or server was involved.

We will update this page as events and understanding develop, including our threat and detection guidance.

Sophos News Feed is also shared in the Cyber Forum. https://forum.comptiaisao.org/threads/connectwise-screenconnect-attacks-deliver-malware.6750/

ConnectWise ScreenConnect Exploit

The new ScreenConnect patch will now upgrade you to the latest version—even if you’re no longer under maintenance.
Get the details and the patch here

Huntress relevant posts

ConnectWise ScreenConnect Exploit

ACTIONABLE Severity: High TLP:GREEN New ScreenConnect RCE Flaw Exploited in Ransomware Attacks​


Tags
  1. Critical CVE
Summary:
Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems. During its initial publication, ConnectWise noted it had no evidence to suggest that the flaw was being exploited in attacks in the wild. However, in the past week, actors have started to leverage the exploit in attacks to deploy various payloads on victim environments. In particular researchers at Sophos have reported the flaw being exploited to deploy a buhtiRansom LockBit ransomware variant which was allegedly built using a LockBit ransomware builder leaked by a disgruntled malware developer in late September 2022. Other payloads observed by Sophos include AsyncRAT as well as various infostealers. Cybersecurity firm Huntress has also noted the deployment of Cobalt Strike, SSH tunnels, and cryptocurrency miners after successful exploitation.

Analyst comments:
The development comes after a working proof-of-concept (PoC) exploit was released by Huntress for CVE-2024-1709 making it easier for actors to launch attacks. According to security threat monitoring platform Shadowserver, it has identified 643 IPs currently targeting vulnerable servers. While not much detail regarding these attacks has been released, some of the victims include a local government as well as a healthcare clinic.

Mitigation:
Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version. Many of the vulnerable servers reside in the United States, followed by Canada and the United Kingdom. In light of the exploitation attempts, CISA is urging organizations to apply the patches as soon as possible, but no later than February 29.

Bitdefender recommends monitoring the "C:\Program Files (x86)\ScreenConnect\App_Extensions\" folder for any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.

Source:
https://www.huntress.com/blog/a-cat...nding-the-screenconnect-authentication-bypass
https://infosec.exchange/@SophosXOps/111975047329915026
https://www.bitdefender.com/blog/bu...nectwise-screenconnect-authentication-bypass/
https://www.bleepingcomputer.com/ne...ect-rce-flaw-exploited-in-ransomware-attacks/

Filter