A few days after the first reports of exploitation started coming in for a critical security vulnerability in ConnectWise ScreenConnect remote desktop management service, researchers warn that a major supply chain attack may be about to erupt.
Once the bugs are exploited, hackers will gain remote access to “more than ten thousand servers controlling hundreds of thousands of endpoints,” Huntress CEO Kyle Hanslovan said in an email comment, arguing that it’s time to prepare for “the biggest cybersecurity incident of 2024.” .”
ScreenConnect can be used by technical support and others to authenticate to a machine as if it were the user. As such, it could allow threat actors to infiltrate high-value endpoints and exploit their privileges.
Even worse, the application is widely used by managed service providers (MSPs) to connect to customer environments, so it can also open the door to threat actors who want to use those MSPs for downstream access, similar to Kaseya tsunami attacks that businesses have faced in 2021.
ConnectWise Bug Get CVE
ConnectWise disclosed the bugs on Monday without CVEs, after which proof-of-concept (PoC) exploits quickly appeared. On Tuesday, ConnectWise warned that the bugs were under active cyber attack. On Wednesday, several researchers reported an avalanche of cyber activity.
Vulnerabilities now have CVE tracking. One of these is a maximum severity authentication bypass (CVE-2024-1709, CVSS 10), which allows an attacker with network access to the management interface to create a new administrator-level account on affected devices. It may be coupled with a second bug, a path traversal issue (CVE-2024-1708, CVSS 8.4) that allows unauthorized access to files.
Early access brokers ramp up the business
According to the Shadowserver Foundation, there are at least 8,200 vulnerable instances of the platform exposed to the Internet within its telemetry, the majority of which are located in the United States.
“CVE-2024-1709 is widely exploited in the wild: 643 IPs have been attacked by our sensors so far,” it reads he said in a LinkedIn post.
Huntress researchers said a source within the U.S. intelligence community told them initial access broker (IAB) have begun pouncing on bugs to set up shop within various endpoints, with the intent of selling that access to ransomware groups.
And indeed, in one case, Huntress observed hackers use security vulnerabilities to deploy ransomware to a local government, including endpoints possibly connected to emergency services systems.
“The sheer prevalence of this software and the access afforded by this vulnerability signals that we are on the verge of a ransomware free for all,” Hanslovan said. “Hospitals, critical infrastructure and state institutions are at risk.”
He added: “And once they start pushing their data encryptors, I would be willing to bet that 90% of preventative security software won’t detect it because it’s from a trusted source.”
Bitdefender researchers, meanwhile, confirmed the activity, noting that threat actors are using malicious extensions to deploy a downloader that can install additional malware on compromised machines.
“We have seen several cases of potential attacks exploiting the ScreenConnect extensions folder, [while security tooling] suggests the presence of a downloader based on the built-in tool certutil.exe,” according to a Bitdefender blog post on ConnectWise computing. “Threat actors commonly use this tool… to initiate the download of additional malicious payloads onto the victim’s system.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the bugs to its Catalog of known exploited vulnerabilities.
Mitigation for CVE-2024-1709, CVE-2024-1708
Local versions up to and including 23.9.7 are vulnerable, so the best protection is to identify all systems where ConnectWise ScreenConnect is deployed and apply patches released with ScreenConnect version 23.9.8.
Organizations should also pay attention to the indicators of compromise (IoC) listed by ConnectWise in its advisory. Bitdefender researchers claim monitoring of the “C:\Program Files (x86)\ScreenConnect\App_Extensions\” folder; Bitdefender reported that any suspicious .ashx and .aspx files stored directly in the root of that folder could indicate unauthorized code execution.
Plus, there may be good news on the horizon: “ConnectWise said it has revoked licenses for unpatched servers, and while it’s not clear from us how this works, it appears this vulnerability is still a major concern for anyone using a vulnerable version or for those who did it.” don’t patch quickly,” the Bitdefender researchers added. “This is not to say that ConnectWise’s actions don’t work, we’re not sure how that worked out at this time.”