ConnectWise Vulnerabilities Raise Ransomware Alarms

Managed service providers (MSPs) were alerted this week to a “severe” vulnerability in ConnectWise ScreenConnect — software that many of these businesses use to gain remote access to customer endpoints for IT support and other services.

ScreenConnect is part of ConnectWise's larger suite of software for MSPs including professional services automation (PSA) and remote monitoring and management (RMM) software. ConnectWise holds the largest market share for PSA/RMM software at 27% according to the most recent market share estimates from Canalys.

Managed security services providers (MSSPs) that operate MSP business units and use this type of software could be impacted as well. MSSPs who have MSPs as customers should also be aware of the vulnerability.

ConnectWise said the two vulnerabilities include a critical vulnerability with a maximum CVSS score of 10. Its security bulletin was later updated with three IP addresses known to be targeting the flaw. ConnectWise partners using the cloud-based version of the company's platform need not be concerned. The flaw is currently only in the on-premises-based software, and a patch has been issued.

On February 19, ConnectWise released a security fix for its RMM software, ScreenConnect 23.9.7 (and all earlier versions), disclosing two vulnerabilities:

ConnectWise Vulnerabilities Rate “Critical”

ConnectWise lists the severity of the vulnerabilities as “critical,” meaning they “could allow the ability to execute remote code or directly impact confidential data or critical systems.” Having been assigned a “high” (1) priority, the vulnerabilities are either being targeted or have higher risk of being targeted by exploits in the wild, ConnectWise said. ScreenConnect users are urged to install updates as emergency changes or as soon as possible.

Managers of on-premises ConnectWise ScreenConnect software should immediately upgrade to version 23.9.8 to prevent server compromise, although cloud instances have already been patched, according to ConnectWise. Blackpoint Cyber claims it was first to discover and isolate the issues caused by the ScreenConnect vulnerabilities and urged their MSPs and customers to patch.

Setting the Stage for Ransomware, Supply Chain Attacks

This critical flaw, tracked as CVE-2024-1709, makes it “trivial and embarrassingly easy” to achieve authentication bypass and gain administrative access to ScreenConnect, according to researchers at Huntress. The second vulnerability, tracked as CVE-2024-1708, is a path traversal vulnerability that could allow a malicious ScreenConnect extension to achieve remote code execution (RCE) outside of its intended subdirectory.

"There’s a reckoning coming with dual-purpose software, like Huntress uncovered with MOVEit over the summer,” Huntress CEO Kyle Hanslovan said. “The same seamless functionality it gives to IT teams, it also gives to hackers.”

He explained that remote access software enables threat actors to “push ransomware as easily as the good guys can push a patch,” which could set the stage to a major supply chain attack.

“And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source,” Hanslovan said.

In a statement for SC Media, who along with MSSP Alert is part of CyberRisk Alliance, Hanslovan said, “I can’t sugarcoat it — this s--- is bad. The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.”

A Multitude of Endpoints Potentially Impacted

Huntress’ ThreatOps team reported the following actions and observations involving ScreenConnect:

Find Huntress’s full findings and recommendations here.

Cybercriminals Actively Exploiting the Vulnerability in the Wild

Bitdefender told MSSP Alert that cybercriminals have begun actively exploiting the vulnerability in the wild, and that its analysis indicates the use of malicious extensions. 

According to its technical advisory, Bitdefender’s threat teams has noticed several instances of potential attacks leveraging the extensions folder of ScreenConnect located at: %ProgramFiles(x86)%ScreenConnectApp_Extensions.

While Huntress believes this location could be exploited for file uploads in the root of the folder, Bitdefender’s observations “suggest the use of regular extensions. Thus, the triggered detection (Generic.Cert.Downloader.1) suggests the presence of a downloader based on the certutil.exe built-in tool.

Threat actors commonly employ this tool with -urlcache or -f arguments to initiate the download of additional malicious payloads onto the victim's system, Bitdefender said.

CISA's Cyber Defense Plan for RMM

In August 2023 the Cybersecurity and Infrastructure Security Agency (CISA) published the Cyber Defense Plan for Remote Monitoring and Management (RMM), the first proactive plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of CISA's 2023 Planning Agenda. This plan provides a clear roadmap to advance security and resilience of the RMM ecosystem and further specific lines of effort in the National Cyber Strategy to scale public-private collaboration and in the CISA Cybersecurity Strategic Plan to drive adoption of the most impactful security measures.

CISA said the RMM Cyber Defense Plan provides a clear roadmap to advance security and resilience of this critical ecosystem, including RMM vendors, MSPs, MSSPs, small and medium sized businesses (SMBs), and critical infrastructure operators. 

The RMM Cyber Defense Plan is built on two foundational pillars -- operational collaboration and cyber defense guidance.

CISA's focus on RMM software followed two cyberattacks targeted through IT services and MSP platform companies -- the SolarWinds breach and the Kaseya ransomware attack.