Advanced Threat Prevention
Cortex XDR
This post is also available in: 日本語 (Japanese)
Executive Summary
Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin.
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The newly disclosed vulnerabilities have now been assigned the following CVEs:
| CVE Number | Description | CVSS Severity |
| CVE-2024-1708 | ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | 8.4 High |
| CVE-2024-1709 | ConnectWise ScreenConnect 23.9.7 and prior are affected by an authentication bypass using an alternate path or channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | 10.0 Critical |
The authentication bypass vulnerability (CVE-2024-1709) is considered to be trivially exploitable, and proof-of-concept exploits are already available. Metasploit has released an unauthenticated remote code execution (RCE) exploit module for this vulnerability.
We assess with high confidence that this vulnerability will be actively targeted by various types of threat actors, including cybercriminals and nation-state actors, given the severity and scope of the vulnerability and the nature of the impacted product.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to the Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch agencies are required to address vulnerabilities identified in the catalog by the assigned due date. For this vulnerability the due date for remediation is Feb 29, 2024.
| Vulnerabilities Discussed | CVE-2024-1708, CVE-2024-1709 |
Current Scope of the Attack
Unit 42 is providing Incident Response support to customers related to these vulnerabilities.
ConnectWise has confirmed that it has “received updates of compromised accounts that our incident response team have been able to investigate and confirm.”
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
Earlier scans showed that nearly three-quarters of these hosts were in the U.S. The top ten countries accounted for over 95% of global exposure. Our observations are summarized in Figure 1 and Table 1.
| Top Ten Countries with ConnectWise ScreenConnect Exposure | |
| Country Name | Unique IP Addresses |
| United States | 6,445 |
| United Kingdom | 466 |
| Canada | 407 |
| Australia | 401 |
| Germany | 259 |
| Ireland | 143 |
| Netherlands | 71 |
| India | 57 |
| Singapore | 40 |
| Sweden | 38 |
Table 1. Top ten countries with ConnectWise ScreenConnect exposure.
Mitigation Actions
The ConnectWise bulletin indicates that ScreenConnect servers hosted in screenconnect[.]com cloud or hostedrmm[.]com have been updated to remediate the issue and no end user action is required. For those with self-hosted or on-premise deployments, the guidance is to patch as soon as possible.
ConnectWise has removed license restrictions so that older versions can be upgraded even if no longer under maintenance.
Conclusion
Unit 42 will continue to monitor the situation and will update this post as more information becomes available.
Palo Alto Networks Product Protections for ConnectWise Vulnerabilities
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
- North America Toll-Free: 866.486.4842 (866.4.UNIT42)
- EMEA: +31.20.299.3130
- APAC: +65.6983.8730
- Japan: +81.50.1790.0200
Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention
Next-Generation Firewall with the Advanced Threat Prevention security subscription an help block the attacks with best practices via the following Threat Prevention signatures 95048.
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering categorizes exploit and scanning attempts as Scanning Activity. Advanced URL Filtering and DNS Security categorize as malicious known domains/IPs associated with this activity.
Cortex XDR and XSIAM
Cortex XDR and XSIAM help protect against post-exploitation activities using the multi-layer protection approach.
Cortex Xpanse
Cortex Xpanse has added Attack Surface Rules for both generic ConnectWise ScreenConnect as well as known insecure versions of identified ConnectWise ScreenConnect instances. These rules are also available to XSIAM customers who have purchased the ASM module.
Additionally, Cortex Xpanse has published a new Threat Response Center event for this pair of vulnerabilities.
Indicators of Compromise
ConnectWise has identified the following IoCs, which were recently used by threat actors:
- 155.133.5[.]15
- 155.133.5[.]14
- 118.69.65[.]60
Sophos has identified the following IoCs. See their research on ConnectWise linked below.
| Indicator Type | Data | Note |
| SHA256 | 0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d | Malware. Uses Sophos in properties. |
| SHA256 | 11d2dde6c51e977ed6e3f3d3e256c78062ae41fe780aefecfba1627e66daf771 | Malware with Sophos name in properties. Source: hxxp://207.246.74.189:804/download/Diablo.log |
| SHA256 | 1362e6d43b068005f5d7c755e997e6202775430ac15a794014aa9a7a03a974e7 | hxxp://185.232.92.32:8888/Logs.txt - Malicious Data, which will be loaded by (SentinelAgentCore.dll) |
| SHA256 | 19fc383683b34ba31ed055dc2e546a64eecbe06d79b6cc346773478c84f25f92 | Installer for ScreenConnect distributed by threat actors. Source: hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe |
| SHA256 | 254714b7028005596fd56bdbe30bfc77f02bbe274048d0982118d93966e79331 | hxxp://185.232.92.32:8888/all.ps1 - Malicious Script downloads payload (SentinelUI.exe, SentinelAgentCore.dll, Logs.txt) - Sideloading |
| SHA256 | 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a | "enc.exe" ransomware executable |
| SHA256 | 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 | Malware script that decodes to an executable. Source: hxxp://91.238.181.238/a |
| SHA256 | 444338339260d884070de53554543785acc3c9772e92c5af1dff96e60e67c195 | Payload from f1c7045badec0b9771da4a0f067eac99587d235d1ede35190080cd051d923da6 - %temp%\xw.exe |
| SHA256 | 55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047 | AnyDesk installer distributed by threat actors. Source: hxxp://116.0.56.101:9191/images/Distribution.exe |
| SHA256 | 858ddfe6530fb00adb467f26e2c8f119fef284e1e9b6c92f0634f403ee3e7913 | Source: hxxp://shapefiles.fews.net.s3.amazonaws.com:80/8gaLYHLcZ4DPV |
| SHA256 | 86b5d7dd88b46a3e7c2fb58c01fbeb11dc7ad350370abfe648dbfad45edb8132 | Installer for SimpleHelp distributed by threat actors. Source: hxxps://transfer.sh/get/HcrhQuN0YC/temp3.exe |
| SHA256 | 8c2d246bf93bf84f6d4376cd46d8fcc3cb9c96d9bef7d42c23ff222d8f66eeaf | crypt64ult.exe ransomware executable inside of msappdata.msi |
| SHA256 | 8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600 | Source: hxxp://23.26.137.225:8084/msappdata.msi |
| SHA256 | 9b3327f9ea7c02c6909a472a3c1abb562b19ae72d733a8e2e990e975b5f8a5d0 | Payload from 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 - Cobalt Strike |
| SHA256 | a39d9b1b41157510d16e41e7c877b35452f201d02a05afa328f1bcd53d8ee016 | hxxp://185.232.92.32:8888/SentinelAgentCore.dll - Malicious DLL Component (Loader) |
| SHA256 | a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0 | Ransomware binary built using the leaked Lockbit 3 builder tool |
| SHA256 | c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f | "UpdaterScreenConnect.exe" malware |
| SHA256 | de42bd53cb0944da8bc33107796ecf296d00968725eed1763a8143cef90e2297 | hxxp://185.232.92.32:8888/sentinelui.exe - Clean File used for sideloading malicious DLL |
| SHA256 | f1c7045badec0b9771da4a0f067eac99587d235d1ede35190080cd051d923da6 | Script that decodes itself to become a malware executable |
| SHA256 | f3f5d3595559cad6019406d41f96fa88c69d693326cdf608c5fc4941fdf6a8ec | r.bat file that downloads 858ddfe6530fb00adb467f26e2c8f119fef284e1e9b6c92f0634f403ee3e7913 |
| SHA256 | b423d100e7aa2e576c8f21586f1d8924b34c3e9ed4cfdba40d121e21c3618445 | Decoded PowerShell script |
| URL | hxxp://116.0.56.101:9191/images/Distribution.exe | AnyDesk installer distributed by threat actors |
| URL | hxxp://119.3.12.54:8000/identity_helper.exe | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://159.65.130.146:4444/a | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://159.65.130.146:4444/svchost.exe | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://185.232.92.32:8888/all.ps1 | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://185.232.92.32:8888/Logs.txt | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://185.232.92.32:8888/SentinelAgentCore.dll | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://185.232.92.32:8888/sentinelui.exe | URL observed in ScreenConnect attacks. Payload not retrieved. |
| URL | hxxp://207.246.74.189:804/download/Diablo.log | Malicious stealer. File has properties that identify it as Sophos ML Model model.dll |
| URL | hxxp://91.238.181.238/a | 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 |
| URL | hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe | Installer for ScreenConnect distributed by threat actors. |
| URL | hxxps://transfer.sh/get/HcrhQuN0YC/temp3.exe | Installer for SimpleHelp remote access utility distributed by threat actors. |
Additional Resources
- ConnectWise ScreenConnect attacks deliver malware – Sophos X-Ops
Updated Feb. 23, 2024, at 6:13 a.m. PT to add additional information to the Executive Summary, Scope of Attack and Mitigations sections, including an update from CISA and other news. Added a Next-Generation Firewall Threat Prevention signature.
Updated Feb. 29, 2024, at 12:40 p.m. PT to add new IoCs from Sophos, an Additional Resources section, and expanded protections for Next-Generation Firewall.
Updated March 4, 2024, at 7:00 a.m. PT to add IPs to protections for Next-Generation Firewall.
Table of Contents
Related Vulnerabilities Resources
Threat Research
High Profile Threats
Get updates from Unit 42