Flash Notice: UPDATE - Patch Now - Maximum Security ConnectWise ScreenConnect Vulnerability

UPDATE (2/28/2024) -

ConnectWise issued a security advisory urging all ScreenConnect server admins to apply patches immediately to mitigate a severe authentication bypass vulnerability, that allows for remote code execution, as well as a path traversal vulnerability. Initially, the flaws didn’t have CVEs and were identified by CWE numbers. Now that the vulnerabilities are being massively exploited, they are being tracked as CVE-2024-1709 and CVE-2024-1708.  

CVE-2024-1709 is the authentication bypass flaw that is easy for attackers to exploit, while CVE-2024-1708 is the path-traversal flaw that allows attackers to remotely plant malicious code on vulnerable ConnectWise customer instances.  The vulnerabilities impact ScreenConnect 23.9.7 and earlier versions. ConnectWise is recommending that all on-premise partners update to ScreenConnect version 23.9.8 to safeguard against potential attacks. Cloud servers hosted on screenconnect.com or hostedrmm.com are already secured.   

Threat actors exploiting the vulnerabilities include Black Basta and Bloody ransomware. Last week, the company lifted all license restrictions, allowing customers with expired licenses to safeguard their servers against ongoing attacks, particularly since these two security vulnerabilities affect all versions of ScreenConnect. On Thursday, CISA included CVE-2024-1709 in its Known Exploited Vulnerabilities Catalog, directing U.S. federal agencies to secure their servers by February 29. Avertium highly recommends that organizations follow the patch guidance from our original flash notice below.  

Atomic IoCs: 

• 155.133.5[.]15 
• 155.133.5[.]14 
• 118.69.65[.]60 
• 118.69.65[.]61 
• 207.148.120[.]105 
• 192.210.232[.]93 
• 159.203.191[].1 

IoCs that could Indicate compromise: 

• presence of User.xml in the Windows ScreenConnect path (this file generally equates to an owned server, recommend to isolate endpoint, inspect this file and look for RCE) 
• Examine this file on the server hosting connectwise/screen connect: C:\Program Files (x86)\ScreenConnect\App_Data\User.xml 
  
  

overview

ConnectWise has issued a security advisory urging all ScreenConnect server admins to apply patches immediately to mitigate a severe Remote Code Execution (RCE) vulnerability. The vulnerability has a maximum security rating and stems from an authentication bypass weakness, enabling attackers to execute arbitrary code or access sensitive data remotely without user interaction. 

The vulnerabilities affect ScreenConnect 23.9.7 and earlier versions, with CWE IDs for Authentication bypass (CWE-288) and Path traversal (CWE-22). While there is currently no evidence of exploitation in the wild, ConnectWise is recommending that all on-premise partners update to ScreenConnect version 23.9.8 to safeguard against potential attacks. Cloud servers hosted on screenconnect.com or hostedrmm.com are already secured.  

Huntress researchers have already developed a proof-of-concept exploit, and Censys states that there are over 8,800 vulnerable servers, with Shodan identifying over 7,600 servers, of which only 160 are running the patched version. Avertium recommends that organizations using ConnectWise patch immediately to ensure safety.  

avertium's recommendationS

• Avertium recommends adhering to ConnectWise’s recommendations: 
  • Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. 
  • ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommend that partners update to ScreenConnect version 23.9.8. 
  • For instructions on updating to the newest release, please reference this doc: Upgrade an on-premise installation – ConnectWise 
  • Link to patch: Download ConnectWise ScreenConnect  
• For detection guidance, please see Huntress’ article.  

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with the ScreenConnect vulnerability. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
  • Risk Assessments 
  • Pen Testing and Social Engineering  
  • Infrastructure Architecture and Integration  
  • Zero Trust Network Architecture 
  • Vulnerability Management 
• We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION