Alert essentials: Malware and ransomware variants are using an easy-to-exploit vulnerability in a rash of network compromises. Attacks involving ConnectWise ScreenConnect have grown rapidly in the last two days as the seemingly unrelated intrusions expand their reach. Update existing instances of ScreenConnect to version 23.9.8 or disconnect and discontinue use of the product.
Detailed threat description: Self-hosted and on-premise customers using remote connectivity tool ConnectWise’s ScreenConnect are advised to update to the latest version immediately. Two vulnerabilities have been recently discovered and are heavily active in the wild. The most serious of the flaws is an authentication bypass that allows the threat actor administrative or SYSTEM-level access to the compromised software. Cloud instances of ConnectWise ScreenConnect have already been updated, and no end-user action is required.
This flaw has been utilized in many malware and ransomware attacks observed over the last few days. Various research teams each report seeing hundreds of IPs under attack as CVE-2024-1709 becomes more widely exploited. Many security researchers have stated that they expect this vulnerability will continue to be actively targeted because of the ease of exploitation and existing proof-of-concept exploits. CISA added CVE-2024-1709 to their Known Exploits Catalog and requires federal agencies have until February 29 to upgrade vulnerable software versions. Comments from security leaders have suggested this could be the beginning of an enormous supply chain attack.
ConnectWise has removed license restrictions so older versions can be upgraded even if a maintenance agreement has expired. ConnectWise is mitigating vulnerable versions by suspending instances they find and alerting clients of the necessary actions to perform.
This product is frequently used by vendor and MSP connections and may be found in devices receiving less maintenance. It is highly advised that environments be investigated for product use and that all versions be upgraded to 23.9.8 immediately!
UPDATE: On Wednesday, February 21, Change Healthcare began experiencing a cyber security issue and isolated its systems. Optum, UnitedHealthcare, and UnitedHealth Group (UHG) systems were not affected by this issue according to information provided by UHG. UHG has also stated they have taken appropriate action to contain the incident.
RedSense has published cyber intelligence that Change Healthcare, along with other organizations, fell victim to the exploitation of the ConnectWise ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709. Currently, we are unable to confirm attack details as the attack is still under investigation. RedSense has noted that more victims of similar attacks are likely as the exploit is ‘fairly trivial’ to exploit.
Impacts on healthcare organizations: These vulnerabilities have been found in various types of exploits, including malware and ransomware. With the flaws, a threat actor can compromise a network, which could make life-saving technology unavailable for undetermined amounts of time.
Affected products / versions:
- ScreenConnect versions 22.4 through 23.9.7
CVEs
- CVE-2024-1709
- CVE-2024-1708
UPDATE: Indicators of Compromise (IOCs)
Log traffic to/from these IPs could indicate a compromise:
- 155.135.5[.]15
- 155.135.5[.]14
- 118.69.65[.]60
- 118.69.65[.]61
- 207.148.120[.]105
- 192.210.232[.]93
- 159.203.191[.]1
Additional IOCs:
- Verify if User.xml exists in the Windows ScreenConnect path
- If identified, it is recommended to isolate the endpoint and inspect this file for a RCE (This file generally equates to an owned server)
- Examine this file on the server hosting connectwise/screen connect: C:\Program Files (x86)\ScreenConnect\ App_Data\User.xml
- Evaluate the “<name>” field along with the “<CreationDate>” field. If a user was recently created, review their <roles> field.
- If the role is ‘admin’ related, you probably have been compromised
It’s important to note that the attack chain bypasses 2-factor authentication via brute force before executing local commands. This allows the threat actors to create an account called ‘cloudadmin’. Using this account, they create a ‘test@2021’ to ping Google.com. Next, the threat actors attempt to establish a connection over HTTPS to transfer[.]sh, a web-based file-sharing service, most likely using the command line.
Recommendations
Engineering recommendations:
- Locate and upgrade any vulnerable versions of ConnectWise ScreenConnect
- If a user contacts you that a remote connection is frozen, check for association with a vulnerable ConnectWise product
- Add the Indicators of Compromise at the link below to cybersecurity monitoring platforms
- Bitdefender researchers advocate monitoring the “C:Program Files (x86)ScreenConnectApp_Extensions” folder. Any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution
- If a third-party vendor hosts your deployment of ScreenConnect Server, confirm with them they have upgraded their instance to 23.9.8 or later; if not, recommend that they take it offline until the patches are applied
- If you have ScreenConnect clients and are unsure of/unable to determine the patch status of all servers that may connect to it, you should presume these servers are vulnerable until you can verify otherwise
- Deploy endpoint security to any server currently or formerly used to run ScreenConnect
Leadership / program recommendations:
- ConnectWise may alert organizations of vulnerable versions of ScreenConnect that have suspended functionality
- If Engineering identifies User.xml and it is a new user with the Admin Role, it is likely that you have been compromised and should start Incident Response (IR) procedures
- Conduct a Risk Evaluation of the impacts of severing connectivity to Optum. This could include but not be limited to loss of prior procedure authorizations, electronic prescribing, and other patient care functions. Optum is currently being stated as unaffected, but all teams should be prepared in case this status changes
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Vendor Alert and Patches: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- Upgrading on-premise installations: Upgrade an on-premises installation – ConnectWise
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cvedetails.com/vulnerability-list/vendor_id-16764/Connectwise.html?page=1&order=1&trc=22&sha=2e463f3815ad4f4aeeac1ec706317914b56f0d29
- https://support.huntress.io/hc/en-us/articles/26571777267475-2024-Feb-ConnectWise-ScreenConnect-Vulnerability-Patching
- https://www.linkedin.com/posts/kevin-s-5965531_change-healthcare-is-believed-to-be-an-early-activity-7166949698556153857-cLVJ/
- https://h-isac.org/wp-content/uploads/2024/02/Change-Healthcare-Optum-Network-Connectivity-and-Additional-Recommendations.pdf