ConnectWise ScreenConnect: Emerging Threat published on Risk Ledger

Summary

Vulnerabilities in on-premise ConnectWise ScreenConnect remote access systems are being actively exploited to deliver a variety of different malware payloads into business environments.

Threat Actor actions observed can be summarised as:

• Gain administrator privileges to the ConnectWise ScreenConnect server - evicting other current administrators
• Use ScreenConnect to deploy a variety of malware to managed endpoint devices (servers, desktops and laptops)
• Managed Service Providers (MSPs) running ConnectWise to manage customer fleets provide opportunities to magnify the server exploit into impactful exploit of multiple connected customer organisations

Threat Description

On February 19, 2024, ConnectWise released a security advisory for its remote monitoring and management (RMM) software.

Their advisory highlighted two vulnerabilities that impact ScreenConnect versions 23.9.7 and earlier.

ConnectWise states in the advisory these vulnerabilities are rated as “Critical—Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems”. The two vulnerabilities are:

• CVE-2024-1709 (CWE-288) — Authentication Bypass — CVSS score of 10 “Critical”
• CVE-2024-1708 (CWE-22) — Path Traversal — CVSS score of 8.4 “High Priority”

The vulnerabilities involve the server software itself, not the client software that is installed on the end-user devices. Threat Actors are using these vulnerabilities to take control of the server and use the capabilities of SecureConnnect Extensions to deploy malware to servers, desktops and laptops with the client software installed.

Sophos X-Ops blog Figure 1: illustrates a 90-day summary of hits with a ScreenConnect parent process on machines. This shows spikes of activity starting around 10th January in addition to the notable surge around 18th February

Data from internet scanning service Censys showed over 8,000 vulnerable ScreenConnect servers when the vulnerability was disclosed on 19th February.

On February 21, 2024, proof of concept (PoC) code was released on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. Indications are that this has been integrated into malware toolkits and is being actively used by several Threat Actors to conduct attacks.  This is one of several PoCs currently known.

Threat Actors have been seen to deploy a variety of ransomware (some examples are based on LockBit code), password stealers and remote access trojans to establish persistence in organisations.

Applicability

Your organisation may use ScreenConnect directly, or you may have contracted IT support to a Managed Service Provider (MSP) that uses ScreenConnect to manage your fleet of servers and user devices.  If the MSP’s ScreenConnect server was exploited, all of their customers may be at risk as part of a supply-chain attack.

Cloud-hosted implementations of ScreenConnect, including screenconnect.com, received mitigations with hours of validation to address these vulnerabilities.

Self-hosted (on-premise) implementations, unless upgraded to version 23.9.8, remain at risk.

Upgrading the server will not remove any malware or web shells that Threat Actors managed to deploy prior to upgrading, so any compromised environments need to be investigated.

What you should do about it

1. If you have an on-premises instance in your environment running a version prior to 23.9.8:
          
          a) take it offline immediately
          
          b) upgrade the server to ScreenConnect v23.9.8 (available on ScreenConnect’s
              download page)
   ‍

2. If you have an on-premises instance that was upgraded to version 23.9.8 or later prior to February 21, you are not at risk, though it would be wise to inspect the server to ensure no malicious payloads were installed (see 4).
   ‍
3. If your deployment of ScreenConnect Server is hosted by a MSP, confirm with them they have upgraded their instance to 23.9.8 or later; if they have not, recommend that they take it offline until the patches are applied.
   ‍
4. Once patching has been completed, perform a thorough review of the ScreenConnect installation looking for unknown accounts and abnormal server activity:
   ‍
            a) Review the users.xml for signs of new accounts or modifications.
   ‍
            b) Assume that any machines hosting a ScreenConnect server could have one or more
                 implanted web shells (or other remote access tools not installed by your IT team) that
                 need to be found and removed.
   ‍
            c) Inspect your estate for newly added user IDs or accounts and remove or freeze access
                 to them until they are known to be legitimate.
   ‍
            d) In an on-premises installation, check the location where any ScreenConnect Extensions
                 are located for web shells or other payloads (files with .ps1, .bat or .cmd file suffixes).
                 Devices with recently applied ScreenConnect Extensions (via a compromised
                 SecureConnect server) may host malware including hibernating ransomware, password
                 stealers and remote access trojans.
   ‍

        5. Deploy endpoint security to any server currently or formerly used to run ScreenConnect.
      

Where to find more information

Maintain oversight of developments published by ConnectWise:

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Sophos X-Ops blog has additional details related to the vulnerability and examples of exploitation:

https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/