ConnectWise users see cyber attacks surge, including ransomware

Cyber attacks against vulnerable instances of the ConnectWise ScreenConnect remote management platform are now being observed following the disclosure of a critical vulnerability in the service, including some by an individual using a leaked variant of LockBit ransomware.

CVE-2024-1709 – described as “trivial” to exploit by one researcher who has poked around under the bonnet – is an authentication bypass vulnerability and was disclosed earlier this week. A second, less severe but still dangerous issue, CVE-2024-1708, is also in circulation.

Patches are available and further details of how to apply these, and who needs to do so, are available from ConnectWise.

Given the ease of exploitation, observers had already been predicting that attacks would unfold in short order, and this now appears to be the case, as Sophos X-Ops director Christopher Budd observed.

“We’ve seen multiple attacks involving ScreenConnect in the past 48 hours. The most noteworthy has been a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers. But we’re also seeing RATs [remote access Trojans], infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect,” said Budd

“Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise. Sophos has extensive guidance and threat hunting material from Sophos X-Ops to help. We are continuing our investigations and will make updates as needed,” he told Computer Weekly in emailed comments.

Mike Walters, president and co-founder of Action1, a patch management specialist, was among those urging ConnectWise customers to sit up and take notice. “Potentially there could be thousands of compromised instances. The massive attack exploiting these vulnerabilities may be similar to the Kaseya vulnerability exploitation in 2021, as ScreenConnect is a very popular RMM among MSPs and MSSPs, and could result in comparable damage,” he said.

“The security advisory states that updated ScreenConnect versions 22.4 through 23.9.7 are planned for release and emphasises the recommendation to upgrade to ScreenConnect version 23.9.8 as a priority.

“Cloud customers hosting ScreenConnect servers on the ‘screenconnect.com’ or ‘hostedrmm.com’ domains are not affected, as updates have been implemented to address these vulnerabilities in the cloud service,” added Walters.

At the time of writing, Shodan data shows that there are around 9,000 vulnerable instances of ScreenConnect exposed to the internet, with just under 500 of those located in the UK.  

Sophos said the simplicity of exploitation made it imperative for users to assess their exposure and take steps beyond simply patching.

For maximum protection, security teams should be sure they have identified all ScreenConnect installations – including those run by external managed service providers (MSPs), isolate or uninstall the client software from identified devices until they can confirm they have patched, and then check those devices for potential malicious activity. This can include the creation of new local users, suspicious client software activity, system and domain recon, and any actions that may indicate someone has attempted to disable security controls.

A spokesperson for ConnectWise told Computer Weekly: “We have swiftly addressed the two vulnerabilities in our ScreenConnect software. Our cloud partners were automatically protected within 48 hours, while on-premise customers were urged to apply the provided patch immediately through the upgrade path we provided. We remain committed to prioritising the security of our partners' systems and will continue to take proactive measures to address vulnerabilities promptly and effectively.

They added: “At this time, we cannot definitively establish a direct link between the vulnerability and any security incidents.”

This article was edited at 17:30 GMT on 23 February 2024 to incorporate a statement from ConnectWise.