New ScreenConnect RCE Flaw Exploited in Ransomware Attacks

Summary:
Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems. During its initial publication, ConnectWise noted it had no evidence to suggest that the flaw was being exploited in attacks in the wild. However, in the past week, actors have started to leverage the exploit in attacks to deploy various payloads on victim environments. In particular researchers at Sophos have reported the flaw being exploited to deploy a buhtiRansom LockBit ransomware variant which was allegedly built using a LockBit ransomware builder leaked by a disgruntled malware developer in late September 2022. Other payloads observed by Sophos include AsyncRAT as well as various infostealers. Cybersecurity firm Huntress has also noted the deployment of Cobalt Strike, SSH tunnels, and cryptocurrency miners after successful exploitation.

Security Officer Comments:
The development comes after a working proof-of-concept (PoC) exploit was released by Huntress for CVE-2024-1709 making it easier for actors to launch attacks. According to security threat monitoring platform Shadowserver, it has identified 643 IPs currently targeting vulnerable servers. While not much detail regarding these attacks has been released, some of the victims include a local government as well as a healthcare clinic.

Suggested Corrections:
Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version. Many of the vulnerable servers reside in the United States, followed by Canada and the United Kingdom. In light of the exploitation attempts, CISA is urging organizations to apply the patches as soon as possible, but no later than February 29.

Bitdefender recommends monitoring the "C:\Program Files (x86)\ScreenConnect\App_Extensions\" folder for any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.

Link(s):
https://www.huntress.com/blog/a-cat...nding-the-screenconnect-authentication-bypass
https://infosec.exchange/@SophosXOps/111975047329915026
https://www.bitdefender.com/blog/bu...nectwise-screenconnect-authentication-bypass/
https://www.bleepingcomputer.com/ne...ect-rce-flaw-exploited-in-ransomware-attacks/