A critical vulnerability affecting ConnectWise’s ScreenConnect remote desktop access product has been widely exploited to deliver ransomware and other types of malware.
ConnectWise notified customers on February 19 that it had released patches for a critical authentication bypass flaw and a high-severity path traversal issue. The security holes did not have CVE identifiers at the time.
The next day, the company warned that it had become aware of in-the-wild exploitation attempts.
CVE identifiers have now been assigned to both vulnerabilities: CVE-2024-1709 to the authentication bypass and CVE-2024-1708 to the path traversal bug.
Threat detection and response firm Huntress, which dubbed the flaws SlashAndGrab, disclosed technical details on February 21, after a proof-of-concept (PoC) exploit had already become available.
The authentication bypass vulnerability allows an attacker to create a new account that has administrator privileges. The path traversal can then be exploited for arbitrary code execution.
There are several reports of widespread exploitation of CVE-2024-1709, but it’s unclear if CVE-2024-1708 is being exploited as well.
Huntress reported seeing SlashAndGrab being exploited to deliver LockBit ransomware, Cobalt Strike, SSH tunnels, remote management tools, and cryptocurrency miners. Victims identified by the company include local governments, emergency systems, and healthcare organizations.
Sophos also reported seeing the delivery of the LockBit ransomware, which is interesting considering that the cybercrime enterprise was recently targeted in a highly disruptive law enforcement operation.
“Despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running,” Sophos said.
The cybersecurity firm has also seen the delivery of AsyncRAT, various infostealers, and SimpleHelp remote access software via the exploitation of the ScreenConnect vulnerability.
Non-profit cybersecurity organization The Shadowserver Foundation reported finding more than 8,200 internet-exposed and vulnerable instances of ScreenConnect as of February 21. The highest percentage of vulnerable instances was in the United States, followed by Canada and the United Kingdom.
“CVE-2024-1709 is widely exploited in the wild — 643 IPs seen attacking to date by our sensors,” Shadowserver said.
CISA has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, noting that the agency is aware of exploitation in ransomware attacks.
Related: CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks
Related: Microsoft Warns of Exploited Exchange Server Zero-Day
Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders
