ScreenConnect vulnerabilities are being actively exploited in the wild by cyber criminals, according to new research, with security experts urging users to patch the remote desktop access software.
The flaws discovered in ScreenConnect, software giant ConnectWise’s remote desktop access product, specifically affect versions 23.9.7 and earlier.
CVE-2024-1708 and CVE-2024-1709 were listed as high and critical severity on the National Vulnerability Database’s CVSS respectively.
CVE-2024-1708 is a path traversal vulnerability that attackers could leverage to access directories beyond restricted areas, which could lead to system compromise or the disclosure of sensitive information.
CVE-2024-1709 is an authentication bypass flaw that would allow a threat actor to gain direct access to sensitive information and critical systems, hence its critical severity rating, indicating it can be exploited with minimal effort and can cause significant disruption.
Analysis of the vulnerabilities by security specialists Trend Micro described this flaw as particularly concerning due to the simplicity with which attackers can bypass authentication and compromise the system.
“CVE-2024-1709 is especially alarming in that it is incredibly trivial to exploit," researchers said. "When an attacker successfully adds unauthorized accounts into the ConnectWise Server, those accounts can be abused to execute code.”
In an advisory released on 20 February, ConnectWise said the flaws were reported through its vulnerability disclosure channel on 13 February, rushing out patches for the affected systems and stating there were no indicators that the flaws had been exploited in the wild at that stage.
Black Basta and Bl00dy, and others sniffing around ScreenConnect weaknesses
On February 27, Trend Micro reported its telemetry found that “diverse threat actor groups” were exploiting the vulnerabilities in ScreenConnect.
Analysts at the security company found Cobalt Strike beacons affiliated with the Black Basta ransomware collective had been deployed in vulnerable versions of ScreenConnect
The threat actors were observed attempting to escalate privileges to facilitate lateral movement within the network as well as accessing the active directory to identify future targets.
Since first being observed in 2022, the Black Basta group has emerged as a highly active threat group in the ransomware as a service (RaaS) space.
Discover what you need to look for when evaluating a developer security platform
The group has had a busy start to 2024, claiming responsibility for an attack on British utilities firm Southern Water, which reportedly exfiltrated 750GB of sensitive data including passports, ID cards, and employee information.
Black Basta was not the only group found to be exploring leveraging adversary simulation tools to exploit the flaw, according to Trend Micro. Another unidentified group was observed deploying Cobalt Strike payloads and defense evasion techniques on vulnerable networks.
Trend Micro also revealed a ransomware operator dubbed ‘Bl00dy’ actively exploiting the vulnerabilities in ScreenConnect, deploying leaked builders from the Conti and LockBit collectives.
Acknowledging the fact that these flaws are already being targeted and the potential damage threat actors could cause if successful, Trend Micro emphasized the importance of firms patching their systems as soon as possible.
“If exploited, these vulnerabilities could compromise sensitive data, disrupt business operations, and inflict significant financial losses. The fact that threat actors are actively using these weaknesses to distribute ransomware adds a layer of urgency for immediate corrective actions.”
