Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyber attack, after a proof-of-concept (PoC) exploit surfaced for a maximum critical security vulnerability in the platform. The situation has the potential to explode into a mass compromise event, researchers warn.
ScreenConnect can be used by technical support and others to authenticate to a machine as if it were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they may have access.
Critical bypass of ScreenConnect authentication
In a notice on Monday, ConnectWise has revealed an authentication bypass have a score of 10 out of 10 on the CVSS vulnerability severity scale; in addition to opening the gateway to targeted desktops, it allows attackers to reach a second bug, also revealed on Monday, which is a path-traversal issue (CVSS 8.4) that allows unauthorized access to files .
“This vulnerability allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server,” James Horseman, developer of the Horizon3.ai exploit, said in a blog today provides technical details on authentication bypass and indicators of compromise (IoC). “This vulnerability follows the theme of other recent vulnerabilities that allow attackers to reinitialize applications or create initial users after configuration.”
On Tuesday, ConnectWise updated its advisory to confirm active exploitation of the issues, which do not yet have CVEs: “We have received updates of compromised accounts that our incident response team was able to investigate and confirm.” It also added an extensive list of IoCs.
Meanwhile, Piotr Kijewski, CEO of the Shadowserver Foundation, confirmed that he had seen the first requests for exploitation in the non-profit organization’s honeypot sensors.
“Check for any signs of compromise (such as adding new users) and apply the patch!” he pointed out via the Shadowserver mailing list, adding that as of Tuesday, 93% of ScreenConnect instances were still vulnerable (around 3,800 installations), most of them located in the United States.
The vulnerabilities affect ScreenConnect versions 23.9.7 and earlier and specifically affect self-hosted or local installations; Cloud customers hosting ScreenConnect servers on “screenconnect.com” or “hostedrmm.com” domains are not affected.
Expect exploitation of ConnectWise by Snowball
While exploitation attempts are currently limited, Mike Walters, president and co-founder of Action1, said in an emailed comment that companies should expect “significant security implications” from ConnectWise bugs.
Walters, who also confirmed in-the-wild exploitation of vulnerabilities, said he expected potentially “thousands of compromised instances.” But the problems also have the potential to explode into a wide-ranging supply chain attack where attackers infiltrate managed security service providers (MSSPs), then target their enterprise customers.
He explained: “Massive attack exploiting these vulnerabilities could be similar to that Exploiting Kaseya’s Vulnerability in 2021since ScreenConnect is very popular [remote management and monitoring tool] RMM between MSP and MSSP and could cause comparable damage.”
So far, both Huntress researchers and Horizon3 attack team researchers have publicly released PoCs for the bugs, and more are sure to follow.
To protect themselves, ConnectWise SmartScreen administrators should immediately update to version 23.9.8 to patch their systems, then use the provided IoCs to look for signs of exploitation.