ConnectWise ScreenConnect Flaw Actively Exploited

A vulnerability in the ConnectWise ScreenConnect remote management tool has been utilized to deploy ransomware to vet offices, health clinics and local governments.

Huntress' John Hammond

That’s according to John Hammond, principal security researcher at Huntress. The local government ransomware includes attacks against systems related to 911 systems, broader emergency services, local board of elections and more.

Earlier this week, ConnectWise issued a security advisory on two ScreenConnect vulnerabilities, an authentication bypass and a path traversal. The authentication bypass allows an attacker with network access to the management interface to create a new administrator-level account on affected devices.

ConnectWise rated the vulnerabilities as critical, saying they could allow the ability to execute remote code, or directly impact confidential data or critical systems.

ConnectWise sent us the following statement:

"We have swiftly addressed the two vulnerabilities (CVE-2024-1709 and CVE-2024-1708) in our ScreenConnect software. Our cloud partners were automatically protected within 48 hours, while on-premises customers were urged to apply the provided patch immediately through the upgrade path we provided. We remain committed to prioritizing the security of our partners' systems and will continue to take proactive measures to address vulnerabilities promptly and effectively. We are seeing some incidents of the ScreenConnect vulnerability being exploited and are actively assisting our partners to address it."

CISA Adds ConnectWise ScreenConnect to Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) added the authentication bypass vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it said.

The ransomware attacks are a significant development as “until now, we had only seen the vulnerability used to install malicious tooling, but not lead to critical organization impact yet,” Hammond said.

“ConnectWise stated they revoked licenses for unpatched servers and while it's unclear on our end how this works, it appears this vulnerability is still a major concern for anyone running a vulnerable version or who did not patch swiftly (this is not to say ConnectWise's actions aren't working, we're unsure of how this played out at this time),” he said. “We can't publicly name the customers at this time, but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown. While we can't attribute this directly to the larger LockBit group, it is clear that Lockbit has a large reach that spans tooling, various affiliate groups and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Beyond ransomware, Huntress is seeing the following deployed via this vulnerability:

Clear Message to State, Local Governments

“We believe this attack was opportunistic based on observed tradecraft; however it sends a clear message -- state and local governments, no matter the size, are having to dedicate more resources to detect and respond to cyber threats to keep their communities safe,” Hammond said. “The LockBit ransomware deployments that we have seen are invoked with an encryptor that looks to be compiled around Sept. 13, 2022, which is the same timeline as the leaked LockBit 3.0 builder in the past. One observed filename is classic ‘LB3.exe,’ which again matches the canned and publicly leaked builder. However, the style and formatting of the ransom note I believe to be different than the default. With all that said, I can't say with any certainty one way or another if it is just any actor with the previously leaked builder, or the ‘real’ LockBit or any affiliates. I'm not convinced it is ‘the’ LockBit, but candidly, the affected organizations care more about the impact and encryption than attribution or who did it.”

In the ransomware cases observed so far, the encryptor binary's details seem to match up against the LockBit 3.0 binary that was leaked around September 2022, he said.

“There are subtle differences in the rest of the indicators, like a slightly different ransom note,” Hammond said. “We can't say definitively right now whether that means this is LockBit proper, an affiliated threat actor, or something unrelated entirely. The team is researching like crazy to try to draw more conclusions.”