ConnectWise ScreenConnect Vulnerabilities: What CIOs Need to Know

[Updated with comments from ConnectWise in the fifth paragraph.]

Earlier this month, IT management software company ConnectWise announced vulnerabilities in its ScreenConnect, its remote access tool. The critical vulnerabilities (CVE-2024-1709 and CVE-2024-1708) are being exploited in the wild. What do CIOs and other enterprise security leaders need to know about remediation and exploitation of these bugs thus far?

The Vulnerabilities

CVE-2024-1709 is an authentication bypass vulnerability; it has a Common Vulnerability Scoring System (CVSS) score of 10 (on a scale of 0-10). CVE-2024-1708 is a path traversal bug with a CVSS score of 8.4. The vulnerabilities can give threat actors remote code execution capabilities.

“Leveraging these vulnerabilities, adversaries can orchestrate an unauthorized elevation of privileges to gain administrative oversight of the ScreenConnect environment absent legitimate authentication credentials. In addition, the path traversal flaw permits unauthorized file access or modification,” Saeed Abbasi, manager, vulnerability research at IT security and compliance platform Qualys, explains in an email interview.

ConnectWise shared that it remediated the vulnerabilities within 36 hours of confirmation for its cloud partners. It advises on-premises partners to immediately upgrade to the latest ScreenConnect version.

Related:Expect the Unexpected: How to Reduce Zero-Day Risk

ConnectWise emailed an additional statement to InformationWeek regarding its response to the vulnerabilities: “We have swiftly addressed the two vulnerabilities (CVE-2024-1709 and CVE-2024-1708) in our ScreenConnect software. Our cloud partners were automatically protected within 48 hours, while on-premise customers were urged to apply the provided patch immediately through the upgrade path we provided.”

Patches are being applied. As of Feb. 27, there were more than 3,400 potentially vulnerable ScreenConnect instances online, according to threat intelligence platform Censys. Censys reports potentially vulnerable exposed instances have gone down 47.7% in the week since ConnectWise released the patches.

“ConnectWise is being used by more than 15,000 companies that support hundreds of thousands of endpoints, devices that ScreenConnect would be installed on,” Peter Avery, vice president of security and compliance at secure technology solutions company Visual Edge IT, tells InformationWeek. “Say that we were really lucky at this point and 80% of those devices are patched. That still leaves a very big target for cybercriminals to access and to run amuck with.”

Related:Damage Control: Addressing Reputational Harm After a Data Breach

Exploitation

While patches have been released and are being applied, threat actors have leapt at the opportunity to take advantage of the vulnerabilities. Managed cybersecurity platform Huntress has been closely following the vulnerabilities and sharing technical details since Feb. 19.

The Huntress team was able to recreate the exploit and began offering notification and detection guidance. They initially held off on offering technical details because of how easy it would be for threat actors to exploit the vulnerabilities, according to John Hammond, principal security researcher at Huntress.

Public proof of concept did become available, and the story of active exploitation began to unfold.

Threat actors, such as Black Basta and Bl00dy Ransomware, are using the vulnerabilities to deploy ransomware, according to Trend Micro. Huntress also noted that threat actors are using LockBit ransomware, although the group was subject to a recent major law enforcement disruption operation.

“What we've seen for LockBit ransomware has been honestly a leaked copy or publicly exposed instance of the builder or the encrypting tool that was made available back in September 2022,” Hammond explains.

Thus far, it appears that the damage has been relatively contained. “The patch was effective. The mitigations and defenses put in place have constrained damages,” says Hammond.

Related:How to Build a Strong IT Risk Mitigation Strategy

But there is the possibility that the blast radius could expand to downstream clients and devices. “Because ScreenConnect is widely used by MSPs, security leaders must recognize the heightened urgency in addressing these vulnerabilities, considering the interconnected nature of MSP-client relationships, and take immediate and comprehensive measures to mitigate the risks and prevent cascading supply chain attacks,” Patrick Tiquet, vice president, security and architecture at Keeper Security, a zero trust cybersecurity software company, shares in emailed comments.

Risk Management

Patching is the first step to mitigating the risk of these vulnerabilities. Avery advocates for a “trust and verify” approach with vendors. “So, if say ConnectWise says, ‘We're patching all our servers; you need to patch your end points,’ I always follow back up with whoever that company is that’s providing the service or the software or whatever it is and say, ‘Okay, provide me proof that this is in place.’”

While patching is critical, the work doesn’t stop there. With exploitation happening in the wild, enterprise security teams need to be searching for signs of compromise in their environments. “Go look for those indicators of compromise. Go do that due diligence threat hunting because there may very well be a delta … between when you patched and when exploitation in the wild was out,” Hammond advises.

If security leaders discover successful exploitation of these vulnerabilities have impacted their organizations, it is time to put their incident response plans into action. They may need to call in outside security experts to understand the scope of compromise and fully recover. “It's important to bring in those security experts to help you form a strategy and then put the correct tactics in place,” says Avery.

The full story of exploitation is likely to unfold over weeks, months, or even longer. Enterprise security leaders will need to remain vigilant as threat actors consider how to maximize the damage.

“Any threat actor or adversary worth their salt will do that big spray and pray, just collect as much access as they can,” Hammond explains. “And if they're smart, [they] would hold onto that and wait until this is out of the spotlight. So, maybe two weeks, maybe three weeks, maybe months or even longer down the road, then they'll weaponize and do some more damage.”

While these ConnectWise ScreenConnect vulnerabilities are critical, they are not unique. “This is not an uncommon kind of vulnerability. It's going to happen again, and CISOs should have a plan in place to the detect these kinds of problems and have a response plan in place,” says Jeff Williams, cofounder and CTO at application security software platform Contrast Security.