ConnectWise ScreenConnect flaws under attack, patch now

Security experts are sounding the alarm on two vulnerabilities in ConnectWise ScreenConnect that are under active exploitation by threat actors.

ConnectWise on Monday published an advisory for two vulnerabilities -- tracked as CVE-2024-1709 and CVE-2024-1708 -- affecting its ScreenConnect remote access software. CVE-2024-1709 is a critical authentication bypass vulnerability with a 10 CVSS score, the highest severity possible, and CVE-2024-1708 is a path traversal flaw with a CVSS score of 8.4. The vendor said the vulnerabilities were initially reported on Feb. 13 through its bug disclosure program.

On Tuesday, ConnectWise updated its advisory to note that it has observed instances of exploitation. "We received updates of compromised accounts that our incident response team have been able to investigate and confirm," it read.

ConnectWise has since altered the language about exploitation activity in the advisory. "We've received notifications of suspicious activity that our incident response team has investigated," it now reads. The advisory lists IP addresses used recently by threat actors as indicators of compromise.

Around the same time that ConnectWise confirmed exploitation, researchers from vendors such as Rapid7 and Huntress similarly referenced exploitation.

Cloud instances of ScreenConnect have been updated to address the vulnerabilities, while on-premises customers are urged to update to version 23.9.8 or later immediately.

A Huntress blog post dedicated to the flaws noted that the exploit was "trivial and embarrassingly easy." A spokesperson for the vendor said Huntress researchers were the first to develop a proof-of-concept exploit for the flaws; the PoC, available in the blog, showcases both exploiting the authentication bypass aspect and achieving remote code execution.

Asked why the flaw was so easy to exploit, Huntress principal security researcher John Hammond said it requires "only a single character change in the address bar of your web browser."

"After the simple modification of the web address, the attacker is presented with the ability to create a new administrator account as if they were setting the service up for the first time," he said.

Hammond also explained what ConnectWise's update means for customers.

"In a nutshell, this change means that an on-premises ScreenConnect instance will no longer work until they patch," he said. "Connected agents will stop checking in. This will not prevent exploitation of the server instance itself, but will hinder the potential lateral movement or supply chain risk by disabling a threat actor's ability to push down code or malware to connected clients."

In a statement shared with TechTarget Editorial, Huntress CEO Kyle Hanslovan said the sheer prevalence of the software and access afforded by the flaw "signals we are on the cusp of a ransomware free-for-all."

"We worked through the night to take this vulnerability apart, fully understand how it works and re-create the exploit. I can't sugarcoat it, this s--- is bad. We're talking upward of 10 thousand servers that control hundreds of thousands of endpoints," he said. "In addition to Huntress and ConnectWise observations, we have confirmation from a highly trusted connection within the U.S. intelligence community that it's already being exploited in the wild for initial access."

In a Wednesday update, ConnectWise said that as part of the release of ScreenConnect version 23.9.10.8817, it "has removed license restrictions, so partners no longer under maintenance can upgrade to the latest version of ScreenConnect."

Hammond praised the decision.

"This is a very strong move that forces administrators and owners to patch this software," he told TechTarget Editorial. "Candidly, this must have been a tough call for ConnectWise to make, and we commend them for making the decision. This was undoubtedly a hard decision for them to make, but it was the right decision that our industry will be grateful for."

On Thursday, Sophos X-Ops researchers said on Mastodon that they have observed exploitation activity connected to a notorious ransomware gang. "In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," they wrote.

One of the most prolific ransomware gangs on the threat landscape, LockBit's operations were disrupted this week through an international law enforcement effort called Operation Cronos. Led by the U.K.'s National Crime Agency, law enforcement agents infiltrated LockBit's network and seized the gang's websites, servers, source code, cryptocurrency and decryption keys.

Sophos X-Ops researchers noted that despite the law enforcement operation, "it seems as though some affiliates are still up and running."

ConnectWise did not respond to TechTarget Editorial's request for comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.