Attackers Exploit New Vulnerabilities in ConnectWise ScreenConnect on a Large Scale

Two new vulnerabilities have been discovered in ConnectWise ScreenConnect, a popular remote desktop and access software used for support. The vulnerabilities are known as CVE-2024-1709 and CVE-2024-1708, with CVE-2024-1709 posing a significant threat to organizations.

CVE-2024-1709 allows remote attackers to bypass authentication and delete the ScreenConnect user database, gaining control of an admin user. This vulnerability affects ScreenConnect version 23.9.7 and earlier. There have been reports of widespread exploitation of this vulnerability, with over 3,000 instances of vulnerable software accessible from the internet. Attackers have been observed installing ransomware, information stealers, and Cobalt Strike payloads after successfully exploiting this vulnerability.

The less severe vulnerability, CVE-2024-1708, allows for path traversal, enabling an attacker to access files and directories that should not be accessible.

Huntress, a U.S.-based cybersecurity company, has released technical details about these vulnerabilities. They have found that exploiting CVE-2024-1709 allows an attacker to gain access to the ScreenConnect setup wizard, which is responsible for setting up the initial admin user and installing a license on the system. By completing a simple step in the setup wizard, the attacker can overwrite the internal user database and become the sole administrator of the software. This provides them with the ability to execute remote code on the compromised system.

A proof of concept for exploiting CVE-2024-1709 has been published on GitHub, demonstrating how to add a new user to a compromised system. Several attacks using this vulnerability have already been observed, with attackers dropping ransomware on customer networks.

In addition to ransomware, other cybersecurity attacks have been observed targeting vulnerable instances of ScreenConnect. These include password stealers, remote access Trojans (RATs), and Cobalt Strike payloads.

ONYPHE, a French cyber defense search engine, has identified thousands of exposed ScreenConnect instances, with the majority located in the United States.

To protect against exploitation of these vulnerabilities, ConnectWise recommends updating to the latest version of ScreenConnect (23.9.8 or higher). They have also taken steps to support partners who are not under maintenance by allowing them to install version 22.4 at no additional cost, which fixes the CVE-2024-1709 vulnerability.

In terms of detection, monitoring server logs for the pattern “/SetupWizard.aspx/” and monitoring the “%ProgramFiles(x86)%\ScreenConnect\App_Extensions” folder can help identify attack attempts.

Disclosure: The author of this article works for Trend Micro, but the opinions expressed are their own.

Unlock your business potential with our expert guidance. Get in touch now!