Cyber experts alarmed by ‘trivial’ ConnectWise vulns

The disclosure of two dangerous vulnerabilities in the popular ConnectWise ScreenConnect product is drawing comparisons with major cyber incidents, including the 2021 Kaseya attack

Alex Scroxton,
Security Editor

Published: 22 Feb 2024 18:22

A pair of newly disclosed vulnerabilities in a widely used remote desktop access application beloved of managed services providers (MSPs) is drawing comparisons to the July 2021 cyber attack on Kaseya, with security experts describing exploitation as trivial.

The product in question, ConnectWise ScreenConnect, is widely used by remote workers and IT support teams alike. The first vulnerability enables a threat actor to achieve authentication bypass using an alternate path or channel and is tracked as CVE-2024-1709. It carries a critical CVSS score of 10, and has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue. Thile the second is a path traversal issue, tracked as CVE-2024-1708, which carries a CVSS score of 8.4.

ConnectWise has released fixes for the issue, and says cloud partners are remediated against both already, while on-premises partners should immediately update to version 23.9.10.8817. More information, including indicators of compromise (IoCs) is available here.

ConnectWise confirmed it was aware of and investigating notifications of suspicious activity around the two vulnerabilities, and on 21 February confirmed observed, active exploitation after proof-of-concept exploit code hit GitHub.

“Anyone with ConnectWise ScreenConnect 23.9.8 should take immediate steps to patch these systems. If they cannot patch immediately, they should take steps to remove them from the internet until they can patch. Users should also check for any indications of possible compromise given the speed with which attacks have followed these patches,” said Sophos X-Ops director Christopher Budd.

“The pairing of an exploitable vulnerability with external remote services is a significant factor in real-world attacks, as evidenced in the Active adversary report for tech Leaders based on incident response cases. External remote services are the number one initial access technique; while exploiting a vulnerability was the second most common root cause, at 23%, it has been the most common root cause in the past.

“This real-world data shows how powerful this combination is for attackers and why in this significantly elevated threat environment, vulnerable ConnectWise customers need to take immediate action to protect themselves,” he added.

Following ConnectWise’s initial disclosure notice, researchers at Huntress Security worked overnight to tear down the vulnerability, understand how it worked, and recreate the exploit.

Hanslovan said that the initial disclosure had been very sparse on technical details, and for good reason, but following publication of the PoC exploit code, the cat was now well and truly out of the bag. He described exploitation as “embarrassingly easy”.

“I can’t sugercoat it, this s**t is bad,” said Kyle Hanslovan, Huntress CEO. “We’re talking upwards of ten thousand servers that control hundreds of thousands of endpoints…. The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all. Hospitals, critical infrastructure, and state institutions are proven at risk.”

Comparisons with Kaseya

The 2021 Kaseya hit by the REvil ransomware crew was one of the first high-profile supply chain incidents to raise widespread awareness of the security issues surrounding managed services.

The attack, which unfolded in the US over the 4 July holiday weekend, when security teams were enjoying some downtime, saw over a thousand organisations compromised via Kaseya’s endpoint and network management service.

The 2023 MOVEit managed file transfer incident had a similar impact, enabling the Clop/Cl0p ransomware gang to spread downstream into a great many organisations who had contracted with MOVEit customers.

Hanslovan said that comparisons with both incidents were apt, given the huge number of MSPs who use ConnectWise.

“There’s a reckoning coming with dual-purpose software; like Huntress uncovered with MOVEit over the summer, the same seamless functionality it gives to IT teams, it also gives to hackers,” he said.

“With remote access software, the bad guys can push ransomware as easily as the good guys can push a patch. And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source.”

Read more on Hackers and cybercrime prevention

ConnectWise users see cyber attacks surge, including ransomware