Fraud Management & Cybercrime , Governance & Risk Management , Patch Management

Attackers Rush to Exploit ScreenConnect Vulnerabilities

Ransomware, Info Stealers, Backdoors and Cryptojacking
Attackers Rush to Exploit ScreenConnect Vulnerabilities
Hackers are taking advantage a ScreenConnect flaw that is "trivial and embarrassingly easy" to exploit. (Image: Shutterstock)

Hackers are on a tear to exploit unpatched ConnectWise ScreenConnect remote connection software to infect systems with ransomware, info stealers and persistent backdoors.

See Also: OnDemand | Defining a Detection & Response Strategy

The attacks observed by researchers include ransomware deployments tied to the now-defunct LockBit ransomware operation, apparently built with a leaked malware builder tool. A "significant number" of hackers are using ScreenConnect access to deploy cryptocurrency miners, said cybersecurity firm Huntress on Friday.

ConnectWise on Monday urged customers with on-premises equipment to patch two high-risk vulnerabilities affecting ScreenConnect servers and ScreenConnect clients - an entreaty that grew in urgency after security researchers published a proof of concept for an authentication bypass flaw tracked as CVE-2024-1709. The flaw has a CVSS score of 10 - the maximum possible, making it, "critical." The other flaw, tracked as CVE-2024-1708, is a high-severity path traversal vulnerability but its exploitation requires the attacker to already have administrative privileges (see: ScreenConnect Servers at High Risk as POC Becomes Public).

The Shadowserver Foundation, which tracks malicious activity, said that as of Wednesday it had found more than 8,200 vulnerable ScreenConnect instances. Attacks have originated from 643 internet protocol addresses, it said.

It is "trivial and embarrassingly easy" to exploit the authentication bypass flaw, Huntress said earlier this week. The attacker "does not require any privileges," wrote Bitdefender.

Victims include a U.S. local government 911 service - the American emergency assistance telephone number - health clinics and veterinarians, said Max Rogers, a senior director at Huntress. "When the threat actor gained access to the local government's network, they were able to access several systems associated with various government activities," including 911 as well as broader emergency services, he told Information Security Media Group.

The bug affects all ScreenConnect versions, which prompted the company to removed license restrictions on Wednesday and allow customers with expired licenses to upgrade to the latest software version.

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday added the flaw to its Known Exploited Vulnerabilities Catalog and said the flaw is "known to be used in ransomware campaigns." CISA directed all federal agencies to secure ScreenConnect servers by Feb. 29.

Cybersecurity firm Sophos in a Friday blog post said it had observed multiple attacks in the past 48 hours that deployed a LockBit ransomware payload.

The attackers deploying the ransomware used the filename enc.exe or upd.exe. The ransom note identified the variant as "buhtiRansom" rather than LockBit.

Sophos detected various remote access Trojans, info stealers, password stealers and other ransomware variants being deployed in this exploitation campaign. "All of this shows that many different attackers are targeting ScreenConnect," the company said.

Rogers told ISMG the LockBit deployment appears to have been compiled around Sept. 13, 2022 - about the time a LockBit developer leaked the ransomware-as-a-service group's source code. The developer was apparently upset at being made to pay out of his own pocket a $50,000 bug bounty the operation had offered for flaws in its encryptor malware. "I'm not convinced it is 'the' LockBit but candidly, the affected organizations care more about the impact and encryption than attribution or who did it," Rogers said.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.