Vulnerabilities and Threats (Corvus Alerts)
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerabilities and Threats (Corvus Alerts)

      ScreenConnect Vulnerability | February 2024

      There's a critical vulnerability in ScreenConnect. Here's what you need to know.

      Update (2/22/2024)

      Attackers are now actively exploiting these vulnerabilities, including affiliates of at least one ransomware group. Given the ease and impact of exploitation, it is crucial that affected organizations patch immediately.

      Background

      ConnectWise issued a security advisory for critical security vulnerabilities (CVE-2024-1708 & CVE-2024-1709) in ConnectWise ScreenConnect, an application commonly used for remote desktop management. The security vulnerabilities could allow a remote attacker to take control of the system. We recommend organizations upgrade to a patched version immediately.

      Impact

      As reported by ConnectWise, the vulnerabilities enable a remote attacker to bypass authentication and execute code on the system. Corvus has observed similar vulnerabilities lead to significant security incidents including data theft and ransomware. These vulnerabilities impact on-premise or self-hosted installations of ScreenConnect 23.9.7 and prior.

      Note: ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue and require no further action.

      Next Steps

      • Update to a fixed version, currently at least 23.9.8.
      • See this blog post by Huntress for detection guidance.

      Threat Hunting Resources

      Given the speed with which attackers were able to exploit these vulnerabilities (we are already seeing claims come in), we recommend checking your ScreenConnect instance to ensure that attackers weren’t able to compromise the system before the patch was installed. Below are a few recommendations to look for indicators of compromise, along with some free tools.

      Review IIS logs for a trailing slash: Look for the trailing slash after SetupWizard.aspx, which can be an indicator of possible exploitation of Screenconnect auth bypass. Sophos Rapid Response Query

      Review user.xml file for new users: Check the User.xml file found in the ScreenConnect\App_Data folder for possible signs of exploitation in the ScreenConnect Server. The content of the file will be updated when an attacker executes the exploit and creates a new user. Sophos Rapid Response Query

      Check for evidence of temporary user file creation: Check for temporary user creation XML files on disk within the past two weeks. The presence of this file can be an indicator of possible exploitation. Sophos Rapid Response Query

      Look for for .ASPX .ASHX files in App_Extensions folder: Review any  .ASPX and .ASHX files in the \ScreenConnect\App_Extensions folder and determine whether they are malicious. Sophos Rapid Response

      Identify shells being spawned from ScreenConnect: Identify shells being spawned from ScreenConnect process. Sophos Rapid Response Query