Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
ConnectWise ScreenConnect Exploit
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Wayne R. Selk" data-source="post: 8109" data-attributes="member: 224"><p><h3><span style="color: rgb(250, 197, 28)">ACTIONABLE</span> <span style="color: rgb(184, 49, 47)">Severity: High</span> <span style="color: rgb(0, 168, 133)">TLP:GREEN</span> New ScreenConnect RCE Flaw Exploited in Ransomware Attacks</h3><p>[URL unfurl="true"]https://forum.comptiaisao.org/resources/new-screenconnect-rce-flaw-exploited-in-ransomware-attacks.4081/[/URL]</p><p></p><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> </ol><p><strong>Summary:</strong></p><p>Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems. During its initial publication, ConnectWise noted it had no evidence to suggest that the flaw was being exploited in attacks in the wild. However, in the past week, actors have started to leverage the exploit in attacks to deploy various payloads on victim environments. In particular researchers at Sophos have reported the flaw being exploited to deploy a buhtiRansom LockBit ransomware variant which was allegedly built using a LockBit ransomware builder leaked by a disgruntled malware developer in late September 2022. Other payloads observed by Sophos include AsyncRAT as well as various infostealers. Cybersecurity firm Huntress has also noted the deployment of Cobalt Strike, SSH tunnels, and cryptocurrency miners after successful exploitation.</p><p></p><p><strong>Analyst comments:</strong></p><p>The development comes after a working proof-of-concept (PoC) exploit was released by Huntress for CVE-2024-1709 making it easier for actors to launch attacks. According to security threat monitoring platform Shadowserver, it has identified 643 IPs currently targeting vulnerable servers. While not much detail regarding these attacks has been released, some of the victims include a local government as well as a healthcare clinic.</p><p></p><p><strong>Mitigation:</strong></p><p>Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version. Many of the vulnerable servers reside in the United States, followed by Canada and the United Kingdom. In light of the exploitation attempts, CISA is urging organizations to apply the patches as soon as possible, but no later than February 29.</p><p></p><p>Bitdefender recommends monitoring the "C:\Program Files (x86)\ScreenConnect\App_Extensions\" folder for any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.</p><p></p><p><strong>Source:</strong></p><p><a href="https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass" target="_blank">https://www.huntress.com/blog/a-cat...nding-the-screenconnect-authentication-bypass</a></p><p><a href="https://infosec.exchange/@SophosXOps/111975047329915026" target="_blank">https://infosec.exchange/@SophosXOps/111975047329915026</a></p><p><a href="https://www.bitdefender.com/blog/businessinsights/technical-advisory-critical-connectwise-screenconnect-authentication-bypass/" target="_blank">https://www.bitdefender.com/blog/bu...nectwise-screenconnect-authentication-bypass/</a></p><p><a href="https://www.bleepingcomputer.com/news/security/new-screenconnect-rce-flaw-exploited-in-ransomware-attacks/" target="_blank">https://www.bleepingcomputer.com/ne...ect-rce-flaw-exploited-in-ransomware-attacks/</a></p></blockquote><p></p>
[QUOTE="Wayne R. Selk, post: 8109, member: 224"] [HEADING=2][COLOR=rgb(250, 197, 28)]ACTIONABLE[/COLOR] [COLOR=rgb(184, 49, 47)]Severity: High[/COLOR] [COLOR=rgb(0, 168, 133)]TLP:GREEN[/COLOR] New ScreenConnect RCE Flaw Exploited in Ransomware Attacks[/HEADING] [URL unfurl="true"]https://forum.comptiaisao.org/resources/new-screenconnect-rce-flaw-exploited-in-ransomware-attacks.4081/[/URL] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [/LIST] [B]Summary:[/B] Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems. During its initial publication, ConnectWise noted it had no evidence to suggest that the flaw was being exploited in attacks in the wild. However, in the past week, actors have started to leverage the exploit in attacks to deploy various payloads on victim environments. In particular researchers at Sophos have reported the flaw being exploited to deploy a buhtiRansom LockBit ransomware variant which was allegedly built using a LockBit ransomware builder leaked by a disgruntled malware developer in late September 2022. Other payloads observed by Sophos include AsyncRAT as well as various infostealers. Cybersecurity firm Huntress has also noted the deployment of Cobalt Strike, SSH tunnels, and cryptocurrency miners after successful exploitation. [B]Analyst comments:[/B] The development comes after a working proof-of-concept (PoC) exploit was released by Huntress for CVE-2024-1709 making it easier for actors to launch attacks. According to security threat monitoring platform Shadowserver, it has identified 643 IPs currently targeting vulnerable servers. While not much detail regarding these attacks has been released, some of the victims include a local government as well as a healthcare clinic. [B]Mitigation:[/B] Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version. Many of the vulnerable servers reside in the United States, followed by Canada and the United Kingdom. In light of the exploitation attempts, CISA is urging organizations to apply the patches as soon as possible, but no later than February 29. Bitdefender recommends monitoring the "C:\Program Files (x86)\ScreenConnect\App_Extensions\" folder for any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution. [B]Source:[/B] [URL='https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass']https://www.huntress.com/blog/a-cat...nding-the-screenconnect-authentication-bypass[/URL] [URL]https://infosec.exchange/@SophosXOps/111975047329915026[/URL] [URL='https://www.bitdefender.com/blog/businessinsights/technical-advisory-critical-connectwise-screenconnect-authentication-bypass/']https://www.bitdefender.com/blog/bu...nectwise-screenconnect-authentication-bypass/[/URL] [URL='https://www.bleepingcomputer.com/news/security/new-screenconnect-rce-flaw-exploited-in-ransomware-attacks/']https://www.bleepingcomputer.com/ne...ect-rce-flaw-exploited-in-ransomware-attacks/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
ConnectWise ScreenConnect Exploit
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu