May 7, 2024 By Douglas Bonderud 4 min read

On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.

While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for both CVEs.

Despite these updates, however, malicious actors aren’t giving up just yet, with reports of new attack vectors still coming in more than a month after the initial issue was detected. Here’s what enterprises need to know about these remote access risks.

Opportunity knocks: Attackers go all-in on ScreenConnect

The first round of attacks reported for ScreenConnect was tied to malware delivery. One week after the vulnerability was reported, however, persistent phishing campaigns were discovered that targeted both the healthcare industry and cryptocurrency users.

By February 27, ransomware groups such as Black Basta and Bl00dy began exploiting these vulnerabilities. The following week saw patches from ScreenConnect to address these evolving issues, and for several weeks the volume of attacks declined.

On March 27, however, new ScreenConnect threats emerged. Both Chinese threat group UNC5274 and Initial Access Brokers began using F5 BIG-IP (CVE-2023-46747) and the ScreenConnect vulnerabilities to actively exploit organizations.

Put simply, the ubiquity and usability of ScreenConnect made it an ideal compromise point for both money-driven and nation-state threat actors. Even with patches in place, the number of insecure systems remains high enough that attack vectors continue to evolve.

Understanding the ScreenConnect compromises

So, what exactly are the ScreenConnect vulnerabilities? Let’s take a look at each.

CVE-2024-1708

This vulnerability was assigned a CVSS 3.1 score of 8.4 out of 10. It affects ScreenConnect version 23.9.7 and all prior versions. It is a path traversal vulnerability that allows attackers to remotely execute code.

Specifically, it allows attackers to write files within the App_Exntensions root directory rather than confining them to their correct extension subdirectory. While this exploit was problematic, its impact was limited since it required administrative credentials. In combination with CVE-2024-1709, however, this vulnerability became much more worrisome.

CVE-2024-1709

This vulnerability was assigned a CVSS 3.1 score of 10 out of 10, marking it “critical.” It is an authentication bypass exploit that relies on the text-based nature of the SetupWizard.aspx file.

Due to an odd .Net functionality, it is possible to input invalid URL components after a legitimate URL path and still have this data passed along to the application. In practice, this means that attackers can request /SetupWizard.aspx/anything and they can gain access to the ScreenConnect setup wizard on any ScreenConnect instance, even those that are already configured.

Once attackers access the Setup Wizard welcome screen, all they need to do is click “Next.” Even if they do not complete the setup process, clicking Next will create a new user and delete all other local users. With full admin access, attackers can easily create and upload malicious extensions to gain Remote Code Execution (RCE) access.

Problems, patches and persistence

ScreenConnect helps companies manage, monitor and troubleshoot remote devices. For example, if an employee working from home experiences issues with their company-issued smartphone, ScreenConnect lets IT staff log in remotely to diagnose and fix the issue.

Used maliciously, however, this same process can provide attackers with access to virtually all connected devices on a corporate network, both local and remote. As noted above, while CVE-2024-1708 was problematic because it let attackers remotely execute malicious code, the vulnerability began gaining traction when hackers realized they could combine CVE-2024-1709 with 1708 to wipe user databases, create their own profiles and take full administrative access.

As a result, both vulnerabilities quickly became popular paths for attackers to gain remote access. Given the massive number of devices that now make up connected corporate networks, full access combined with the ability to overwrite existing user databases made exploiting these vulnerabilities a worthwhile endeavor for attackers.

Once both vulnerabilities were patched, attack volumes dropped, as evidenced by the lack of new threat vectors reported between the end of February and the end of March. Now, attacks are on the rise again as malicious actors target companies that haven’t applied the ScreenConnect patches. In addition, attackers are leveraging new CVEs to compromise remote connections and gain network access.

For example, Chinese groups UNC5714 and UNC5724 have been spotted using a combination of CVEs, including CVE-2023-46747, which targets the F5 BIG-IP service, and CVE-2024-1709 to attack both government and defense agencies. In other words, while the initial threat of ScreenConnect attacks has largely passed, the long-term impact remains a concern as new vulnerabilities are combined with existing exploits to create more sophisticated attacks.

Staying safe from remote access risks

For customers using the cloud-based version of ScreenConnect, patches were automatically applied. For enterprises using on-prem deployments, however, patching must be handled manually. This is critical because CVE-2024-1709 is easy to exploit, allowing attackers access before companies have time to react.

It’s also worth noting that while these vulnerabilities represent one type of significant security risk, they’re not the only emerging issue. Consider the rise of dual-track exploits, which use multiple attack vectors simultaneously to overwhelm network defenses, such as the combination of F5 BIG-IP and ScreenConnect CVEs. Keyword logging tools like BunnyLoader, meanwhile, are seeing improvements that boost performance by 90%, making it easier for attackers to find what they’re looking for once they compromise defenses. As a result, companies can benefit from patch management solutions that automatically identify and apply new patches to existing tools.

Given the changeable nature of security threats, however, post-problem patching isn’t enough in isolation. Instead, companies must deploy tools capable of identifying vulnerabilities before attackers can exploit them. It’s also worth pairing detection tools with vulnerability management solutions that continually discover, analyze and remediate potential vulnerabilities.

This triple-layer approach offers the best chance against remote access risks. Scanning tools identify risks, vulnerability management tools close the gaps and patch management processes ensure that defenses are automatically kept up-to-date.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

What can businesses learn from the rise of cyber espionage?

4 min read - It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target.Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and economics. Global political risk has reached its highest level in decades, and even though corporate attention to geopolitics has dropped since peaking in 2022, the impact…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today