ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot
We know threat actors use RMM tools for command and control and to blend in with other legitimate activity in networks. But how about exploiting RMM tools for fun, profit, and remote code execution? In this week's Threat SnapShot, we'll look at two recent vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) an authentication bypass and directory traversal that can be combined together to achieve remote code execution. There are over 8,000 vulnerable versions exposed on the Internet, proof of concept exploits are available, and we're seeing evidence of exploitation activity now by threat actors. Patching should be done immediately, and ConnectWise is making the patches available even to customers outside their license's maintenance window, but in the meantime we'll discuss detection and hunting strategies to defend your organization.
References:
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
- https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
- https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE
SnapAttack Resources:
- https://app.snapattack.com/collection/242e192a-3f6e-4799-9c35-2b11aece94c5 - Collection: ScreenConnect Compromise: Hackers Are Watching, Are You Ready? | Threat SnapShot
- https://app.snapattack.com/threat/5559c586-26cf-4dfe-c49c-06d3a225a3bd - Threat: ScreenConnect Authentication Bypass and Remote Code Execution
- https://app.snapattack.com/detection/ebb12a02-cf93-4f71-87e7-9198e52725ff - Detection: ScreenConnect Auth Bypass
- https://app.snapattack.com/detection/18a66fc2-2058-489c-be29-cb83baef1b39 - Detection: ScreenConnect Extension Installed
- https://app.snapattack.com/detection/1643492c-a40d-4d15-9486-22ead4bcaf0f - Detection: Suspicious ScreenConnect Child Process
- https://app.snapattack.com/detection/9bba6e28-2ea2-4868-9dc0-f89db73ac8c1 - Detection: Possible ScreenConnect Webshell
- https://app.snapattack.com/detection/3f6cc051-47ea-4040-8011-9d59b6ea2187 - Detection: CSC Net On The Fly Compilation
- https://app.snapattack.com/detection/82036b25-2f2c-4085-833f-cd352fc09f96 - Detection: Suspicious ASP Temporary File
- https://app.snapattack.com/detection/b14a8047-5dda-42a3-b25a-d2cbeea38967 - Detection: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
- https://app.snapattack.com/detection/5593368b-f974-4ee3-b023-7d28bde961f1 - Detection: ScreenConnect User Database Modification
- https://app.snapattack.com/detection/9c709b1d-070f-48ea-9d08-db9cf8a08634 - Detection: ScreenConnect User Database Modification - Security
- https://app.snapattack.com/detection/953ae30f-ee34-4200-851d-6efa9ce03310 - Detection: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
- https://app.snapattack.com/detection/b1ea994d-bd57-44b4-b6cb-44c8f368aac6 - Detection: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security