ScreenConnect flaws exploited to deliver all kinds of malware (CVE-2024-1709, CVE-2024-1708)
The recently patched vulnerabilities (CVE-2024-1709, CVE-2024-1708) in ConnectWise ScreenConnect software are being exploited by numerous attackers to deliver a variety of malicious payloads.
About ConnectWise ScreenConnect
ConnectWise ScreenConnect is a remote desktop solution consisting of server and client elements (applications).
The server element is offered as-a-service by ConnectWise or can be installed by customers on their own servers, either on-premises or in the cloud. Client software is installed on workstations and other endpoints, where and when needed, to enable remote access to those endpoints.
This makes it a popular solution for offering technical assistance or for remotely managing data centers. But this is also what makes it a popular solution for attackers, who exploit it to easily access and compromise a great number of enterprise endpoints.
The vulnerabilities and patches
The vulnerabilities affect the server component of ConnectWise ScreenConnect, version 23.9.7 and prior.
CVE-2024-1709 is an authentication bypass vulnerability that allows attackers to create system admin accounts on vulnerable instances and use them for their own malicious ends.
CVE-2024-1708 is a path traversal vulnerability that allows attackers to remotely execute code on vulnerable instances.
After they’ve been privately reported on February 13, ConnectWise patched its cloud environments and all cloud instances within two days and, on February 19, urged ScreenConnect customers to immediately upgrade their on-premises instances to a version with the fixes (v23.9.8).
Since then, the company has confirmed in-the-wild exploitation and pushed out new versions of the server software (v23.9.10.8817 and v22.4) without license restrictions, so that all users – even those that are no longer under maintenance – can get patches for CVE-2024-1709 or both flaws.
CVE-2024-1709 exploited: The attacks, the malware
After PoC exploits for CVE-2024-1709 have been made public, various attackers began targeting vulnerable public-facing ScreenConnect servers, hoping to use them as a way into enterprise networks.
“Mandiant has identified mass exploitation of these vulnerabilities by various threat actors. Many of them will deploy ransomware and conduct multifaceted extortion,” the Google subsidiary has shared.
Sophos’ X-Ops task force says that they spotted attackers deliver two different ransomware variants (both generated by the previously leaked LockBit builder), as well as infostealers, RATs, worms, Cobalt Strike payloads, and additional remote access clients (SimpleHelp, Google Chrome Remote Desktop).
Huntress researchers have also spotted some of these attacks, but also attacks involved cryptocurrency miners and setting up SSH backdoors and persistent reverse shells.
Investigation and remediation
If you’ve failed to upgrade your self-hosted ScreenConnect instance in time, you are now faced the time-consuming process of searching for evidence of compromise, piecing together just how deep the attackers have managed to burrow into your enterprise network, and cleaning all affected systems to boot them out.
“Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise,” Sophos X-Ops stressed.
“Sophos has evidence that attacks against both servers and client machines are currently underway. Patching the server will not remove any malware or webshells attackers manage to deploy prior to patching and any compromised environments need to be investigated.”
Mandiant has shared investigative steps and offered actionable remediation advice and hardening recommendations to help defenders.