UPDATE – MARCH 11th, 2024: The threat intelligence and response firm Mandiant (now part of Google Cloud) has published an in-depth Remediation and Mitigation Guide for the ConnectWise vulnerabilities with steps for MSPs to take to harden their ScreenConnect installations. For additional updates and the latest information that ConnectWise partners can use, please refer to ConnectWise’s previously referenced resources below.
UPDATE – FEBRUARY 26th, 2024: The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on February 22nd, 2024, since this threat briefing’s original publication. Based on reports that threat actors and state-sponsored criminals are proactively using these ScreenConnect vulnerabilities to deploy crypto miners, ransomware (such as LockBit), and using toolkits like Cobalt Strike against victims, such as UnitedHealth Group’s Change Healthcare, to cause disruption. Please patch your on-premises ScreenConnect instances immediately to prevent exploitation.
Original Threat Briefing:
On February 13th, 2024, an undisclosed party reported two critical vulnerabilities to the ConnectWise Trust Center. Shortly after ConnectWise disclosed these vulnerabilities on February 19th, researchers from Huntress Labs successfully created a proof-of-concept exploit and communicated their initial findings to the MSP community. These vulnerabilities impact ScreenConnect versions 23.9.7 and earlier.
ConnectWise has released a new version of ScreenConnect patching this vulnerability (23.9.8), and recommends that MSPs using ScreenConnect update to this version immediately.
As a solution provider supporting an integration with ConnectWise ScreenConnect, CyberQP can confirm that we do not use ConnectWise ScreenConnect in our production environments or on primary devices, and are ensuring any instances of ScreenConnect in test or demo environments are patched immediately.
Since these vulnerabilities have a Critical severity rating and a High priority risk classification, CyberQP considers this an ongoing situation and will issue updates as necessary.
Key Takeaways
In their advisory, ConnectWise disclosed two vulnerabilities, tracked as CWE-288 and CWE-22.
CWE-288 is a critical vulnerability with a CVSS score of 10, and allows threat actors to bypass authentication using an alternate channel.
CWE-22 is a “path traversal” vulnerability with a CVSS score of 8.4, making it a critical and high-priority vulnerability.
According to ConnectWise, they have updated ScreenConnect servers hosted in the cloud. However, MSPs using the on-premises or self-hosted version of ScreenConnect must patch their servers immediately.
Based on the limited details in this advisory, Huntress researchers successfully bypassed authentication and proved that threat actors could exploit these vulnerabilities to launch remote code execution attacks in a demo video.
Next Steps
For more information, MSPs can follow the remediation steps in ConnectWise’s advisory.
Huntress researchers have also offered detailed indicators of compromise in their report that you can use to detect suspicious behavior.
