![[LOGO] Corvus Insurance by Travelers](https://www.corvusinsurance.com/hubfs/Corvus%20by%20Travelers%20Logos/CORVUS-Travelers-SML-POS-RGB.svg "[LOGO] Corvus Insurance by Travelers")
Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
ScreenConnect Vulnerability | February 2024
Corvus Threat Intel & Risk Advisory
•
February 28, 2024
ScreenConnect Vulnerability Overview
Vulnerability Update
(2/22/2024) Attackers are now actively exploiting these vulnerabilities, including affiliates of at least one ransomware group. Given the ease and impact of exploitation, it is crucial that affected organizations patch immediately.
Background Information
ConnectWise issued a security advisory for critical security vulnerabilities (CVE-2024-1708 & CVE-2024-1709) in ConnectWise ScreenConnect, an application commonly used for remote desktop management. The security vulnerabilities could allow a remote attacker to take control of the system. We recommend organizations upgrade to a patched version immediately.
Impact of the Vulnerability
As reported by ConnectWise, the vulnerabilities enable a remote attacker to bypass authentication and execute code on the system. Corvus has observed similar vulnerabilities lead to significant security incidents including data theft and ransomware. These vulnerabilities impact on-premise or self-hosted installations of ScreenConnect 23.9.7 and prior.
Note: ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue and require no further action.
Next Steps
-
Update to a fixed version, currently at least 23.9.8.
-
See this blog post by Huntress for detection guidance.
Threat Hunting Resources
Given the speed with which attackers were able to exploit these vulnerabilities (we are already seeing claims come in), we recommend checking your ScreenConnect instance to ensure that attackers weren’t able to compromise the system before the patch was installed. Below are a few recommendations to look for indicators of compromise, along with some free tools.
Review IIS logs for a trailing slash
Look for the trailing slash after SetupWizard.aspx, which can be an indicator of possible exploitation of Screenconnect auth bypass. Sophos Rapid Response Query
Review user.xml file for new users
Check the User.xml file found in the ScreenConnect\App_Data folder for possible signs of exploitation in the ScreenConnect Server. The content of the file will be updated when an attacker executes the exploit and creates a new user. Sophos Rapid Response Query
Check for evidence of temporary user file creation
Check for temporary user creation XML files on disk within the past two weeks. The presence of this file can be an indicator of possible exploitation. Sophos Rapid Response Query
Look for for .ASPX .ASHX files in App_Extensions folder
Review any .ASPX and .ASHX files in the \ScreenConnect\App_Extensions folder and determine whether they are malicious. Sophos Rapid Response
Identify shells being spawned from ScreenConnect
Identify shells being spawned from ScreenConnect process. Sophos Rapid Response Query
Recent Articles
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
Q2 Cyber Threat Report: Ransomware Season Arrives Early
In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.
Global IT Meltdown: CrowdStrike Software Update Causes Broad Outages
On July 19, 2024, the world woke up to a massive IT outage caused by cybersecurity firm CrowdStrike that affected numerous industries across the globe.