ScreenConnect Vulnerability | February 2024

ScreenConnect Vulnerability Overview

Vulnerability Update

(2/22/2024) Attackers are now actively exploiting these vulnerabilities, including affiliates of at least one ransomware group. Given the ease and impact of exploitation, it is crucial that affected organizations patch immediately.

Background Information

ConnectWise issued a security advisory for critical security vulnerabilities (CVE-2024-1708 & CVE-2024-1709) in ConnectWise ScreenConnect, an application commonly used for remote desktop management. The security vulnerabilities could allow a remote attacker to take control of the system. We recommend organizations upgrade to a patched version immediately.

Impact of the Vulnerability

As reported by ConnectWise, the vulnerabilities enable a remote attacker to bypass authentication and execute code on the system. Corvus has observed similar vulnerabilities lead to significant security incidents including data theft and ransomware. These vulnerabilities impact on-premise or self-hosted installations of ScreenConnect 23.9.7 and prior.

Note: ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue and require no further action.

Next Steps

• Update to a fixed version, currently at least 23.9.8.

• See this blog post by Huntress for detection guidance.

Threat Hunting Resources

Given the speed with which attackers were able to exploit these vulnerabilities (we are already seeing claims come in), we recommend checking your ScreenConnect instance to ensure that attackers weren’t able to compromise the system before the patch was installed. Below are a few recommendations to look for indicators of compromise, along with some free tools.

Review IIS logs for a trailing slash

Look for the trailing slash after SetupWizard.aspx, which can be an indicator of possible exploitation of Screenconnect auth bypass. Sophos Rapid Response Query

Review user.xml file for new users

Check the User.xml file found in the ScreenConnect\App_Data folder for possible signs of exploitation in the ScreenConnect Server. The content of the file will be updated when an attacker executes the exploit and creates a new user. Sophos Rapid Response Query

Check for evidence of temporary user file creation

Check for temporary user creation XML files on disk within the past two weeks. The presence of this file can be an indicator of possible exploitation. Sophos Rapid Response Query

Look for for .ASPX .ASHX files in App_Extensions folder

Review any .ASPX and .ASHX files in the \ScreenConnect\App_Extensions folder and determine whether they are malicious. Sophos Rapid Response

Identify shells being spawned from ScreenConnect

Identify shells being spawned from ScreenConnect process. Sophos Rapid Response Query