May 7, 2024 By Douglas Bonderud 4 min read

On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.

While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for both CVEs.

Despite these updates, however, malicious actors aren’t giving up just yet, with reports of new attack vectors still coming in more than a month after the initial issue was detected. Here’s what enterprises need to know about these remote access risks.

Opportunity knocks: Attackers go all-in on ScreenConnect

The first round of attacks reported for ScreenConnect was tied to malware delivery. One week after the vulnerability was reported, however, persistent phishing campaigns were discovered that targeted both the healthcare industry and cryptocurrency users.

By February 27, ransomware groups such as Black Basta and Bl00dy began exploiting these vulnerabilities. The following week saw patches from ScreenConnect to address these evolving issues, and for several weeks the volume of attacks declined.

On March 27, however, new ScreenConnect threats emerged. Both Chinese threat group UNC5274 and Initial Access Brokers began using F5 BIG-IP (CVE-2023-46747) and the ScreenConnect vulnerabilities to actively exploit organizations.

Put simply, the ubiquity and usability of ScreenConnect made it an ideal compromise point for both money-driven and nation-state threat actors. Even with patches in place, the number of insecure systems remains high enough that attack vectors continue to evolve.

Understanding the ScreenConnect compromises

So, what exactly are the ScreenConnect vulnerabilities? Let’s take a look at each.

CVE-2024-1708

This vulnerability was assigned a CVSS 3.1 score of 8.4 out of 10. It affects ScreenConnect version 23.9.7 and all prior versions. It is a path traversal vulnerability that allows attackers to remotely execute code.

Specifically, it allows attackers to write files within the App_Exntensions root directory rather than confining them to their correct extension subdirectory. While this exploit was problematic, its impact was limited since it required administrative credentials. In combination with CVE-2024-1709, however, this vulnerability became much more worrisome.

CVE-2024-1709

This vulnerability was assigned a CVSS 3.1 score of 10 out of 10, marking it “critical.” It is an authentication bypass exploit that relies on the text-based nature of the SetupWizard.aspx file.

Due to an odd .Net functionality, it is possible to input invalid URL components after a legitimate URL path and still have this data passed along to the application. In practice, this means that attackers can request /SetupWizard.aspx/anything and they can gain access to the ScreenConnect setup wizard on any ScreenConnect instance, even those that are already configured.

Once attackers access the Setup Wizard welcome screen, all they need to do is click “Next.” Even if they do not complete the setup process, clicking Next will create a new user and delete all other local users. With full admin access, attackers can easily create and upload malicious extensions to gain Remote Code Execution (RCE) access.

Problems, patches and persistence

ScreenConnect helps companies manage, monitor and troubleshoot remote devices. For example, if an employee working from home experiences issues with their company-issued smartphone, ScreenConnect lets IT staff log in remotely to diagnose and fix the issue.

Used maliciously, however, this same process can provide attackers with access to virtually all connected devices on a corporate network, both local and remote. As noted above, while CVE-2024-1708 was problematic because it let attackers remotely execute malicious code, the vulnerability began gaining traction when hackers realized they could combine CVE-2024-1709 with 1708 to wipe user databases, create their own profiles and take full administrative access.

As a result, both vulnerabilities quickly became popular paths for attackers to gain remote access. Given the massive number of devices that now make up connected corporate networks, full access combined with the ability to overwrite existing user databases made exploiting these vulnerabilities a worthwhile endeavor for attackers.

Once both vulnerabilities were patched, attack volumes dropped, as evidenced by the lack of new threat vectors reported between the end of February and the end of March. Now, attacks are on the rise again as malicious actors target companies that haven’t applied the ScreenConnect patches. In addition, attackers are leveraging new CVEs to compromise remote connections and gain network access.

For example, Chinese groups UNC5714 and UNC5724 have been spotted using a combination of CVEs, including CVE-2023-46747, which targets the F5 BIG-IP service, and CVE-2024-1709 to attack both government and defense agencies. In other words, while the initial threat of ScreenConnect attacks has largely passed, the long-term impact remains a concern as new vulnerabilities are combined with existing exploits to create more sophisticated attacks.

Staying safe from remote access risks

For customers using the cloud-based version of ScreenConnect, patches were automatically applied. For enterprises using on-prem deployments, however, patching must be handled manually. This is critical because CVE-2024-1709 is easy to exploit, allowing attackers access before companies have time to react.

It’s also worth noting that while these vulnerabilities represent one type of significant security risk, they’re not the only emerging issue. Consider the rise of dual-track exploits, which use multiple attack vectors simultaneously to overwhelm network defenses, such as the combination of F5 BIG-IP and ScreenConnect CVEs. Keyword logging tools like BunnyLoader, meanwhile, are seeing improvements that boost performance by 90%, making it easier for attackers to find what they’re looking for once they compromise defenses. As a result, companies can benefit from patch management solutions that automatically identify and apply new patches to existing tools.

Given the changeable nature of security threats, however, post-problem patching isn’t enough in isolation. Instead, companies must deploy tools capable of identifying vulnerabilities before attackers can exploit them. It’s also worth pairing detection tools with vulnerability management solutions that continually discover, analyze and remediate potential vulnerabilities.

This triple-layer approach offers the best chance against remote access risks. Scanning tools identify risks, vulnerability management tools close the gaps and patch management processes ensure that defenses are automatically kept up-to-date.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today