Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ConnectWise ScreenConnect. Show all posts

Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.