Instances of the ConnectWise ScreenConnect remote management platform are now under attack from cyber threats after a critical vulnerability in the service was disclosed. One individual using a leaked variant of LockBit ransomware is among those carrying out the attacks. The vulnerability, known as CVE-2024-1709, is easy to exploit and allows for authentication bypass. Another less severe but still dangerous issue, CVE-2024-1708, is also circulating. ConnectWise has released patches to address the vulnerabilities and users are advised to apply them immediately. As predicted, attacks are already occurring, with multiple instances of malware, Remote Access Trojans (RATs), infostealers, password stealers, and ransomware being used against vulnerable ScreenConnect servers. Users are urged to isolate vulnerable servers and clients, patch them, and look for signs of compromise. Action1, a patch management specialist, warns that thousands of instances could potentially be compromised. Cloud customers hosting ScreenConnect servers on certain domains are not affected. Approximately 9,000 vulnerable instances of ScreenConnect are exposed to the internet, with around 500 in the UK. Sophos emphasizes the need for users to go beyond patching and to proactively assess their exposure and investigate for potential malicious activity. ConnectWise has stated that the vulnerabilities have been swiftly addressed, with cloud partners automatically protected and on-premise customers urged to apply the provided patch. ConnectWise is committed to the security of its systems and will continue to address vulnerabilities promptly. At this time, there is no direct link established between the vulnerability and any security incidents.
Menu
