Alert essentials: Malware and ransomware variants are using an easy-to-exploit vulnerability in a rash of network compromises. Attacks involving ConnectWise ScreenConnect have grown rapidly in the last two days as the seemingly unrelated intrusions expand their reach. Update existing instances of ScreenConnect to version 23.9.8 or disconnect and discontinue use of the product.
Detailed threat description: Self-hosted and on-premise customers using remote connectivity tool ConnectWise’s ScreenConnect are advised to update to the latest version immediately. Two vulnerabilities have been recently discovered and are heavily active in the wild. The most serious of the flaws is an authentication bypass that allows the threat actor administrative or SYSTEM-level access to the compromised software. Cloud instances of ConnectWise ScreenConnect have already been updated, and no end-user action is required.
This flaw has been utilized in many malware and ransomware attacks observed over the last few days. Various research teams each report seeing hundreds of IPs under attack as CVE-2024-1709 becomes more widely exploited. Many security researchers have stated that they expect this vulnerability will continue to be actively targeted because of the ease of exploitation and existing proof-of-concept exploits. CISA added CVE-2024-1709 to their Known Exploits Catalog and requires federal agencies have until February 29 to upgrade vulnerable software versions. Comments from security leaders have suggested this could be the beginning of an enormous supply chain attack.
ConnectWise has removed license restrictions so older versions can be upgraded even if a maintenance agreement has expired. ConnectWise is mitigating vulnerable versions by suspending instances they find and alerting clients of the necessary actions to perform.
This product is frequently used by vendor and MSP connections and may be found in devices receiving less maintenance. It is highly advised that environments be investigated for product use and that all versions be upgraded to 23.9.8 immediately!
Impacts on healthcare organizations: These vulnerabilities have been found in various types of exploits including malware and ransomware. With the flaws a threat actor can compromise a network which could make life-saving technology unavailable for undetermined amounts of time.
Affected products / versions:
- ScreenConnect versions 22.4 through 23.9.7
CVEs
- CVE-2024-1709
- CVE-2024-1708
Recommendations
Engineering recommendations:
- Locate and upgrade any vulnerable versions of ConnectWise ScreenConnect
- If a user contacts you that a remote connection is frozen, check for association with a vulnerable ConnectWise product
- Add the Indicators of Compromise at the link below to cybersecurity monitoring platforms
- Bitdefender researchers advocate monitoring the “C:\Program Files (x86)\ScreenConnect\App_Extensions\” folder. Any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution
- If a third-party vendor hosts your deployment of ScreenConnect Server, confirm with them they have upgraded their instance to 23.9.8 or later; if not, recommend that they take it offline until the patches are applied
- If you have ScreenConnect clients and are unsure of/unable to determine the patch status of all servers that may connect to it, you should presume these servers are vulnerable until you can verify otherwise
- Deploy endpoint security to any server currently or formerly used to run ScreenConnect
Leadership / program recommendations:
- ConnectWise may alert organizations of vulnerable versions of ScreenConnect that have suspended functionality
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Vendor Alert and Patches: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- Upgrading on-premise installations: Upgrade an on-premises installation – ConnectWise
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cvedetails.com/vulnerability-list/vendor_id-16764/Connectwise.html?page=1&order=1&trc=22&sha=2e463f3815ad4f4aeeac1ec706317914b56f0d29
- https://support.huntress.io/hc/en-us/articles/26571777267475-2024-Feb-ConnectWise-ScreenConnect-Vulnerability-Patching