ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware


Hundreds of initial access brokers and cybercrime gangs are jumping on the max-critical CVE-2024-1709 authentication bypass, threatening orgs and downstream customers.



Just days after initial exploitation reports started rolling in for a
critical security vulnerability in the ConnectWise ScreenConnect
remote desktop management service, researchers are warning that a supply chain attack of outsized proportions could be poised to erupt.
Once the bugs are exploited, hackers will gain remote access into upwards of ten thousand servers that control hundreds of thousands of endpoints, Huntress CEO Kyle Hanslovan said in emailed commentary, opining that its time to prepare for the biggest cybersecurity incident of 2024.
ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it could allow threat actors to infiltrate high-value endpoints and exploit their privileges.
Even worse, the application is widely used by managed service providers (MSP) to connect to customer environments, so it can also open the door to threat actors looking to use those MSPs for downstream access, similar to the
tsunami of Kaseya attacks
that businesses faced in 2021.
ConnectWise disclosed the bugs on Monday with no CVEs, after which proof-of-concept (PoC) exploits quickly appeared. On Tuesday, ConnectWise warned that the bugs were under active cyberattack. By Wednesday, multiple researchers were reporting snowballing cyber activity.
The vulnerabilities now have tracking CVEs. One of them is a max-severity authentication bypass (CVE-2024-1709, CVSS 10), which allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices. It can be paired with a second bug, a path-traversal issue (CVE-2024-1708, CVSS 8.4) that allows unauthorized file access.
According to the Shadowserver Foundation, there are at least 8,200 vulnerable instances of the platform exposed to the Internet within its telemetry, with the majority of them located in the US.
CVE-2024-1709 is widely exploited in the wild: 643 IPs seen attacking to date by our sensors, it
said in a LinkedIn post
.
Huntress researchers said a source within the US intelligence community told them that
initial access brokers (IABs)
have started pouncing on the bugs to set up shop inside various endpoints, with the intent of selling that access to ransomware groups.
And indeed, on one instance, Huntress observed cyberattackers using the security vulnerabilities to deploy ransomware to a local government, including endpoints likely linked to 911 systems.
The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all, Hanslovan said. Hospitals, critical infrastructure, and state institutions are proven at risk.
He added: And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source.”
Bitdefender researchers, meanwhile, corroborated the activity, noting that threat actors are using malicious extensions to deploy a downloader capable of installing additional malware on compromised machines.
Weve noticed several instances of potential attacks leveraging the extensions folder of ScreenConnect, [while security tooling] suggests the presence of a downloader based on the certutil.exe built-in tool, according to a
Bitdefender blog post on the ConnectWise cyber activity
. Threat actors commonly employ this tool … to initiate the download of additional malicious payloads onto the victims system.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the bugs to its
Known Exploited Vulnerabilities catalog
.
On-premises versions up to and including 23.9.7 are vulnerable — so the best protection is identifying all systems where ConnectWise ScreenConnect is deployed and applying the patches, issued with
ScreenConnect version 23.9.8
.
Organizations should also keep a lookout for indicators of compromise (IoCs) listed by ConnectWise in its advisory. Bitdefender researchers advocate monitoring the C:Program Files (x86)ScreenConnectApp_Extensions folder; Bitdefender flagged that any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.
Also, there could be good news on the horizon: ConnectWise stated they revoked licenses for unpatched servers, and while its unclear on our end how this works, it appears this vulnerability is still a major concern for anyone running a vulnerable version or who did not patch swiftly, Bitdefender researchers added. This is not to say ConnectWises actions arent working, were unsure of how this played out at this time.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware