Please see the following regarding the active exploit of on-premise ScreenConnect servers. The CompTIA ISAO is making this information available to the entire industry as a service. We ask that you share this information as widely as possible to help respond. We will provide updates to this thread as they are released by ConnectWise.

The following was originally posted at 2:02 PM on Tuesday, February 20, 2024 in this Breaking News thread.

Summary

Vulnerabilities were reported February 13, 2024, through the ConnectWise vulnerability disclosure channel via the ConnectWise Trust Center. There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks.


https://connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Continue reading...
 
Last edited:

ACTIONABLE Severity: High TLP:GREEN ScreenConnect Critical Bug Now Under Attack as Exploit Code Emerges

Tags

Critical CVE

Summary:

Technical details and proof-of-concept exploits are available for two vulnerabilities in ConnectWise ScreenConnect. A day after the vendor published the security issues, attackers started leveraging them in attacks.

CVE-2024-1708 and CVE-2024-1709 have been assigned as the identifiers to the the two security issues, which the vendor assessed as a maximum severity authentication bypass and a high-severity path traversal flaw that impact ScreenConnect servers 23.9.7 and earlier.

In an updated advisory released today, ConnectWise says threat actors have compromised multiple ScreenConnect accounts. Developing an exploit for the vulnerability is a trivial task according to security experts, and it is expected threat actors will continue to capitalize on the vulnerability as organizations work to patch.

Analyst comments:
Huntress has tested and validated a working PoC. The company notes that the Censys platform was showing more than 8,800 vulnerable ScreenConnect servers exposed. An assessment from The ShadowServer Foundation noted that yesterday the number was around 3,800. Exploits emerged quickly, soon after ConnectWise announced the two vulnerabilities. Huntress shared detailed analysis on how easy it is to exploit the vulnerabilities, in hopes that organizations would work faster to implement mitigations and remediation.

The flaw is the result of an authentication process that wasn’t secure against all access paths, including the setup wizard, SetupWizard[.]aspx. This allowed specially crafted requests that could allow users to use the setup wizard even when ScreenConnect had already been installed. An adversary could create a new administrator account and use it to take control of the ScreenConnect instance.

“Leveraging the path traversal bug is possible with the help of another specially crafted request that allows accessing or modifying files outside the intended restricted directory. The flaw was located by noticing code changes on the 'ScreenConnect.Core[.]dll' file, pointing to ZipSlip, a vulnerability that occurs when applications don't properly sanitize the file extraction path, which could result in overwriting sensitive files” (Bleeping Computer, 2024).

Updates from ConnectWise introduced stricter path validation when extracting ZIP file contents, specifically to prevent file writing outside designated subdirectories with the ScreenConnect folder. With administrative access from the previous exploit, it is possible to access or manipulate the User[.]xml file and other sensitive files by crafting requests that include directory traversal sequences to navigate the file system beyond the intended limits.

Lastly, attackers can use the exploit to upload a payload, which could be a malicious script or an executable file, outside the ScreenConnect subdirectory.

Mitigation:
ConnectWise urged admins to update on-premise servers to version 23.9.8 immediately to mitigate the risk and clarified that those with instances on screenconnect[.]com cloud or hostedrmm[.]com have been secured.

Admins who haven't applied the security updates are strongly recommended to use the detections to check for unauthorized access.

Source:
https://www.bleepingcomputer.com/ne...bug-now-under-attack-as-exploit-code-emerges/
https://www.huntress.com/blog/a-cat...nding-the-screenconnect-authentication-bypass
 
Last edited:
https://forum.comptiaisao.org/threa...024-connectwise-screenconnect-patch-now.6723/

Summary


Vulnerabilities were reported February 13, 2024, through the ConnectWise vulnerability disclosure channel via the ConnectWise Trust Center. There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks.

https://connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Continue reading...
 
  • Like
Reactions: Paula Kapacinskas
ConnectWise took an unprecedented step last night to disable all unpatched servers. This was the right call. Proactively preventing what could have been a major disruption.

 

ACTIONABLE Severity: High TLP:GREEN New ScreenConnect RCE Flaw Exploited in Ransomware Attacks​


Tags
  1. Critical CVE
Summary:
Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems. During its initial publication, ConnectWise noted it had no evidence to suggest that the flaw was being exploited in attacks in the wild. However, in the past week, actors have started to leverage the exploit in attacks to deploy various payloads on victim environments. In particular researchers at Sophos have reported the flaw being exploited to deploy a buhtiRansom LockBit ransomware variant which was allegedly built using a LockBit ransomware builder leaked by a disgruntled malware developer in late September 2022. Other payloads observed by Sophos include AsyncRAT as well as various infostealers. Cybersecurity firm Huntress has also noted the deployment of Cobalt Strike, SSH tunnels, and cryptocurrency miners after successful exploitation.

Analyst comments:
The development comes after a working proof-of-concept (PoC) exploit was released by Huntress for CVE-2024-1709 making it easier for actors to launch attacks. According to security threat monitoring platform Shadowserver, it has identified 643 IPs currently targeting vulnerable servers. While not much detail regarding these attacks has been released, some of the victims include a local government as well as a healthcare clinic.

Mitigation:
Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version. Many of the vulnerable servers reside in the United States, followed by Canada and the United Kingdom. In light of the exploitation attempts, CISA is urging organizations to apply the patches as soon as possible, but no later than February 29.

Bitdefender recommends monitoring the "C:\Program Files (x86)\ScreenConnect\App_Extensions\" folder for any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.

Source:
https://www.huntress.com/blog/a-cat...nding-the-screenconnect-authentication-bypass
https://infosec.exchange/@SophosXOps/111975047329915026
https://www.bitdefender.com/blog/bu...nectwise-screenconnect-authentication-bypass/
https://www.bleepingcomputer.com/ne...ect-rce-flaw-exploited-in-ransomware-attacks/
 
  • Like
Reactions: Paula Kapacinskas
The new ScreenConnect patch will now upgrade you to the latest version—even if you’re no longer under maintenance.
Get the details and the patch here

Huntress relevant posts
 
  • Like
Reactions: Paula Kapacinskas
Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidance for customers, researchers, investigators and incident responders. This information is based on observation and analysis of attacks by SophosLabs, Sophos Managed Detection and Response (MDR) and Sophos Incident Response (IR), in which the ScreenConnect client or server was involved.

We will update this page as events and understanding develop, including our threat and detection guidance.

Sophos News Feed is also shared in the Cyber Forum. https://forum.comptiaisao.org/threads/connectwise-screenconnect-attacks-deliver-malware.6750/
 
  • Like
Reactions: Paula Kapacinskas
For the ISAO, we have some extensive network traffic monitoring capabilities deployed and have found a common set of SourceIPs responsible for much of the footprinting activity that has has been targeted against locating vulnerable ScreenConnect servers. Our observations have been in lock-step with the observations posted on reddit in r/msp - same source blocks doing the scanning. I've provided this list below for reference, since I've not seen any specific technical data in this forum. This morning, the pattern changed and we now see new source netblocks in the mix:

198.74.56.0/24
192.155.88[.]231
138.197.15[.]3
45.79.163[.]53

Baseline list from r/msp
Malicious IPs targeting SC Servers:
45.66.228[.]0/22
45.89.244[.]0/22
91.92.240[.]0/20
93.123.39[.]0/24
93.123.40[.]0/21
93.123.48[.]0/20
93.123.64[.]0/22
94.156.0[.]0/21
94.156.8[.]0/24
94.156.64[.]0/20
94.156.80[.]0/21
147.78.100[.]0/22
185.216.68[.]0/22
 

INFORMATIONAL - TLP:GREEN - Black Basta, bl00dy Ransomware Gangs Join ScreenConnect Attacks

Summary:
The Black Basta and Bl00dy ransomware groups have recently been identified as participants in a wave of attacks targeting vulnerable ScreenConnect servers. These attacks exploit a critical authentication bypass vulnerability (CVE-2024-1709), which enables threat actors to create administrative accounts on internet-exposed servers. Once created, these accounts can be used to delete other users and assume control of the affected systems. This flaw has been actively exploited since security updates were released by ConnectWise, prompting swift action from cybersecurity companies and government agencies.
 
Last edited by a moderator:

ACTIONABLE Severity: Medium TLP:GREEN ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware​

Summary:
Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more. According to cybersecurity analysts at Kroll, North Korean APT group Kimsuky has now joined in the exploitation of these flaws to infect victims with a new malware variant dubbed ToddlerShark. ToddlerShark is believed to be a new variant of the group’s BabyShark and ReconShark backdoors and is mainly designed to harvest/collect system data (hostname, user accounts, active user sessions, running processes, etc) and maintain persistent access to the target system through the help of scheduled tasks. Notable about the malware is its ability to evade detection through the use of legitimate Microsoft binaries such as mshta.exe, which is further used to execute heavily obfuscated VBScripts scripts, making analysis more challenging. ToddlerShark is also capable of modifying the Windows Registry to allow macros to run without triggering alerts and employs randomized strings to alter its structural pattern, rendering signature-based detections ineffective.
 
Last edited by a moderator:
  • Like
Reactions: Lisa Person