On-premise ScreenConnect customers are urged to install patches or upgrade to v23.9.8 without further delay
Vulnerabilities on the ConnectWise ScreenConnect platform version of 23.9.7 and ealier were announced on February 19, 2024. Federal agencies reported evidence of exploitation of ScreenConnect and AnyDesk software as early as June 2022.
On March 4, 2024, ConnectWise published an updated security bulletin providing additional information about the software flaws discovered in the company’s ScreenConnect platform on versions 23.9.7 and earlier.
In its recent bulletin, ConnectWise ranks the flaws as Critical and High and urges customers to immediately install patches or upgrade to version 23.9.8 or higher. The vulnerabilities are described briefly on the National Institute of Standards and Technology (NIST) website as follows:
CVE-2024-1708 (HIGH) - ConnectWise ScreenConnect version 23.9.7 and prior are affected by the path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
CVE-2024-1709 (CRITICAL) - ConnectWise ScreenConnect version 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
The ConnectWise advisory emphasizes the impact on customers who use its on-premise (self-hosted) ScreenConnect software, noting that customers using cloud-based ScreenConnect had the vulnerability remediated by ConnectWise shortly after discovery.
ConnectWise is self-described as the world's leading software company dedicated to the success of IT solution providers through unmatched software, services, and community. ScreenConnect is available as a cloud-based SaaS or as an on-premise application on customer servers. It includes a proprietary protocol and open architecture that customers can use to implement custom plugins, scripting, or various integrations. Once installed, it can be made visible inside and outside an organization’s local area network, making it attractive to hackers.
Customers Urged to Take Immediate Actions to Mitigate ScreenConnect Software Flaws
On-premise customers are urged to take specific actions as soon as possible. The March 4th ConnectWise advisory reminds customers to apply ConnectWise-provided patches to their servers if they have not yet done so, or to upgrade to version 23.9.8 or higher if they have active maintenance contracts.
The company bulletin further advises these customers to “assess your systems for signs of impact while upgrading and before bringing any systems back online.”
In addition, those who possess enhanced Windows event logs or endpoint detection and response (EDR) solutions are urged to conduct a thorough investigation to identify any suspicious activity, including evidence of commands run from web shells or other indicators of compromise.
If the investigation identifies file anomalies or other signs of compromise, ConnectWise highly recommends contacting a firm that specializes in incident response and digital forensics in order to effectively investigate and remediate the security issues.
After on-premise customers have applied the provided patches, or upgraded to a newer version of ScreenConnect, the company urges them to follow the ScreenConnect Remediation Guide by Mandiant, which includes additional mitigation assistance and outlines steps to check for signs of compromise. These might include:
- Auditing rogue users, malicious extensions, and additional checks for indicators of compromise,
- Enabling baseline audit and privacy logs,
- Proxy server and load balance configurations,
- Restricting Egress, and
- Additional details for restricting permissions.
ConnectWise urges customers who are on active maintenance to upgrade to the most current release (23.9.8 or later) to take advantage not only of security updates and bug fixes, but also of software enhancements not found in older releases.
Ransomware Criminals Actively Exploiting ScreenConnect Flaws
Since the ConnectWise ScreenConnect vulnerabilities were published, several security industry sources have reported that ransomware criminals have been actively exploiting the flawed software, including associates in the LockBit ransomware organization.
According to an SC Magazine article on March 1, 2024, the CVE-2024-1709 authentication bypass flaw was used in a Play ransomware breach and an attempted supply chain attack involving LockBit malware. One of the attacks targeted a managed service provider (MSP) as part of an effort to execute a wider supply chain breach against its customers. That attack was thwarted by the MSP’s security operations center before files could be encrypted or held for ransom.
In another case, a finance company was struck by Play ransomware after discovering an unauthorized intrusion while staff were attempting to apply the ScreenConnect patch. Despite immediate mitigation efforts by company staff, the cybercriminals were able to successfully encrypt the firm’s entire storage area network and present a ransom demand.
Both attacks occurred within 72 hours of ConnectWise announcing the two ScreenConnect vulnerabilities on February 19, 2024. However, exploits have been occurring for several years.
A TechCrunch article published in January 2024 noted that financially motivated hackers had compromised federal agencies using legitimate remote desktop software from ConnectWise ScreenConnect and AnyDesk. A joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) indicated that multiple federal civilian executive branch agencies had been targeted, including Homeland Security, Treasury, and Department of Justice.
The malicious activity was discovered in October 2023 during a CISA retrospective analysis using Einstein, a government-operated intrusion detection system designed to protect federal civilian agency networks. Further analysis concluded that many other government networks were also affected.
CISA linked this activity to a financially motivated phishing campaign discovered by Silent Push, a threat intelligence firm. The attackers had begun sending phishing emails to federal employees in June 2022, according to the CISA/NSA advisory. The phishing emails directed unwitting victims to malicious websites spoofing universally recognized companies, which in turn led to the download of legitimate remote access software, specifically ConnectWise ScreenConnect and AnyDesk. The cybercriminals used these tools to conduct a refund scam to steal money from victims’ bank accounts.
Ironically, while these remote access tools have the advantage of enabling IT staff to access employee computers quickly and with minimal interaction from users—they have also proven easily exploitable by cybercriminals to launch convincing-looking scams leading to financial crimes against individuals.
The CISA/NSA advisory also warns that attackers could use legitimate remote access software as a backdoor for maintaining persistent access to government networks.
Assurance for Customers Using HITRUST Framework
In response to inquiries from customers, security assessors, and others, HITRUST published a bulletin on March 1, 2024, describing how the HITRUST framework is kept current and complete in the face of evolving cyber threats, including the two ConnectWise CVEs. Following are excerpts from that bulletin.
“The HITRUST framework is actively reviewed using a cyber threat adaptive process to ensure that assurances provided by HITRUST adapt and remain relevant to current threats and an ever-changing risk landscape. These reviews are conducted regularly and when industry events and/or new risks or vulnerabilities warrant analysis. HITRUST is conducting such a review against the recently announced CVEs (CVE-2024-1708 and 1709), given industry interest and the potential of systemic and aggregate risk to the communities we serve including the healthcare industry.
“This HITRUST review includes an analysis of the threats, an understanding of a change in the risk landscape resulting from the threat, and review of that risk against the HITRUST framework including control specifications to ensure that security safeguards as implemented, measured, and monitored are responsive to the change in the risk landscape.
“Where new threats or a change in the risk landscape identify opportunities to change the control framework, the assurance methodology, and/or our assurance and quality review processes, HITRUST will proactively and immediately amend our approach to support the continued cyber resilience of our customers and sustain the assurances provided by HITRUST reports. The result of this analysis and required changes are then communicated to the community which includes assessed entities, external assessors, and relying parties with a focus on transparency and continuous improvement.
“The HITRUST review is ongoing and will be revised as new information is made available. Based upon HITRUST’s analysis, the control specifications in the i1 and r2 assurance levels both address the two CVEs. HITRUST is continuing to evaluate whether control specifications contained in the e1 assurance level provide sufficient mitigation for the two CVEs.”
The HITRUST bulletin also acknowledged recent industry reports suggesting that the two ScreenConnect software flaws were implicated in a cyber incident that affected the healthcare industry in late February. However, HITRUST was “unable to comment on those reports at this time in respect of the confidentiality of our industry relationships and, just as importantly, to allow vital recovery and investigation work to take place.” HITRUST indicated that their “analysis and this bulletin will be amended as more facts are confirmed by industry parties with first-hand knowledge of relevant information.”
Summary
Recent alerts from remote access software provider ConnectWise announced two critical ScreenConnect software flaws. The convenient remote access software is widely used by IT teams for legitimate access to employees’ computers. However, it is also extremely attractive to hackers, with unfortunate consequences. The flaws are posted by the Forum of Incident Response and Security Teams (FIRST) authoritative source as CVE-2024-1708 and CVE-2024-1709.
Evidence of the active exploitation of ScreenConnect was discovered among federal agencies in 2022 and 2023, according to a joint CISA/NSA advisory, including phishing scams targeting individual federal employees’ bank accounts. The advisory warns that attackers could also use legitimate remote access software as a backdoor for maintaining persistent access to government networks for malicious purposes.
ConnectWise proactively remediated its cloud-based software-as-a-service and has provided patches for on-premise customers. Customers with active maintenance contracts have been urged to upgrade to version 23.9.8 or higher. On-premise customers are also directed to remediate ScreenConnect software flaws by following security hardening procedures provided in the ScreenConnect Remediation Guide from Mandiant.
