This post is also available in: 日本語 (Japanese)

Executive Summary

Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.

Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin.

As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.

The newly disclosed vulnerabilities have now been assigned the following CVEs:

CVE Number Description CVSS Severity
CVE-2024-1708  ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. 8.4 High
CVE-2024-1709 ConnectWise ScreenConnect 23.9.7 and prior are affected by an authentication bypass using an alternate path or channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. 10.0 Critical

The authentication bypass vulnerability (CVE-2024-1709) is considered to be trivially exploitable, and proof-of-concept exploits are already available. Metasploit has released an unauthenticated remote code execution (RCE) exploit module for this vulnerability.

We assess with high confidence that this vulnerability will be actively targeted by various types of threat actors, including cybercriminals and nation-state actors, given the severity and scope of the vulnerability and the nature of the impacted product.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to the Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch agencies are required to address vulnerabilities identified in the catalog by the assigned due date. For this vulnerability the due date for remediation is Feb 29, 2024.

Vulnerabilities Discussed CVE-2024-1708, CVE-2024-1709

Current Scope of the Attack

Unit 42 is providing Incident Response support to customers related to these vulnerabilities.

ConnectWise has confirmed that it has “received updates of compromised accounts that our incident response team have been able to investigate and confirm.”

As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.

Earlier scans showed that nearly three-quarters of these hosts were in the U.S. The top ten countries accounted for over 95% of global exposure. Our observations are summarized in Figure 1 and Table 1.

Image 1 is a heatmap of ConnectWise ScreenConnect global exposure as of February 19th, 2024. The highest instances are in the United States.
Figure 1. Global exposure of ConnectWise ScreenConnect as of Feb. 19, 2024.
Top Ten Countries with ConnectWise ScreenConnect Exposure
Country Name Unique IP Addresses
United States 6,445
United Kingdom 466
Canada 407
Australia 401
Germany 259
Ireland 143
Netherlands 71
India 57
Singapore 40
Sweden 38

Table 1. Top ten countries with ConnectWise ScreenConnect exposure.

Mitigation Actions

The ConnectWise bulletin indicates that ScreenConnect servers hosted in screenconnect[.]com cloud or hostedrmm[.]com have been updated to remediate the issue and no end user action is required. For those with self-hosted or on-premise deployments, the guidance is to patch as soon as possible.

ConnectWise has removed license restrictions so that older versions can be upgraded even if no longer under maintenance.

Conclusion

Unit 42 will continue to monitor the situation and will update this post as more information becomes available.

Palo Alto Networks Product Protections for ConnectWise Vulnerabilities

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention

Next-Generation Firewall with the Advanced Threat Prevention security subscription an help block the attacks with best practices via the following Threat Prevention signatures 95048.

Cloud-Delivered Security Services for the Next-Generation Firewall

Advanced URL Filtering categorizes exploit and scanning attempts as Scanning Activity. Advanced URL Filtering and DNS Security categorize as malicious known domains/IPs associated with this activity.

Cortex XDR and XSIAM

Cortex XDR and XSIAM help protect against post-exploitation activities using the multi-layer protection approach.

Cortex Xpanse

Cortex Xpanse has added Attack Surface Rules for both generic ConnectWise ScreenConnect as well as known insecure versions of identified ConnectWise ScreenConnect instances. These rules are also available to XSIAM customers who have purchased the ASM module.

Additionally, Cortex Xpanse has published a new Threat Response Center event for this pair of vulnerabilities.

Indicators of Compromise

ConnectWise has identified the following IoCs, which were recently used by threat actors:

  • 155.133.5[.]15
  • 155.133.5[.]14
  • 118.69.65[.]60

Sophos has identified the following IoCs. See their research on ConnectWise linked below.

Indicator Type Data Note
SHA256 0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d Malware. Uses Sophos in properties.
SHA256 11d2dde6c51e977ed6e3f3d3e256c78062ae41fe780aefecfba1627e66daf771 Malware with Sophos name in properties. Source: hxxp://207.246.74.189:804/download/Diablo.log
SHA256 1362e6d43b068005f5d7c755e997e6202775430ac15a794014aa9a7a03a974e7 hxxp://185.232.92.32:8888/Logs.txt - Malicious Data, which will be loaded by (SentinelAgentCore.dll)
SHA256 19fc383683b34ba31ed055dc2e546a64eecbe06d79b6cc346773478c84f25f92 Installer for ScreenConnect distributed by threat actors. Source: hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe
SHA256 254714b7028005596fd56bdbe30bfc77f02bbe274048d0982118d93966e79331 hxxp://185.232.92.32:8888/all.ps1 - Malicious Script downloads payload (SentinelUI.exe, SentinelAgentCore.dll, Logs.txt) - Sideloading
SHA256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a "enc.exe" ransomware executable
SHA256 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 Malware script that decodes to an executable. Source: hxxp://91.238.181.238/a
SHA256 444338339260d884070de53554543785acc3c9772e92c5af1dff96e60e67c195 Payload from f1c7045badec0b9771da4a0f067eac99587d235d1ede35190080cd051d923da6 - %temp%\xw.exe
SHA256 55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047 AnyDesk installer distributed by threat actors. Source: hxxp://116.0.56.101:9191/images/Distribution.exe
SHA256 858ddfe6530fb00adb467f26e2c8f119fef284e1e9b6c92f0634f403ee3e7913 Source: hxxp://shapefiles.fews.net.s3.amazonaws.com:80/8gaLYHLcZ4DPV
SHA256 86b5d7dd88b46a3e7c2fb58c01fbeb11dc7ad350370abfe648dbfad45edb8132 Installer for SimpleHelp distributed by threat actors. Source: hxxps://transfer.sh/get/HcrhQuN0YC/temp3.exe
SHA256 8c2d246bf93bf84f6d4376cd46d8fcc3cb9c96d9bef7d42c23ff222d8f66eeaf crypt64ult.exe ransomware executable inside of msappdata.msi
SHA256 8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600 Source: hxxp://23.26.137.225:8084/msappdata.msi
SHA256 9b3327f9ea7c02c6909a472a3c1abb562b19ae72d733a8e2e990e975b5f8a5d0 Payload from 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543 - Cobalt Strike
SHA256 a39d9b1b41157510d16e41e7c877b35452f201d02a05afa328f1bcd53d8ee016 hxxp://185.232.92.32:8888/SentinelAgentCore.dll - Malicious DLL Component (Loader)
SHA256 a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0 Ransomware binary built using the leaked Lockbit 3 builder tool
SHA256 c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f "UpdaterScreenConnect.exe" malware
SHA256 de42bd53cb0944da8bc33107796ecf296d00968725eed1763a8143cef90e2297 hxxp://185.232.92.32:8888/sentinelui.exe - Clean File used for sideloading malicious DLL
SHA256 f1c7045badec0b9771da4a0f067eac99587d235d1ede35190080cd051d923da6 Script that decodes itself to become a malware executable
SHA256 f3f5d3595559cad6019406d41f96fa88c69d693326cdf608c5fc4941fdf6a8ec r.bat file that downloads 858ddfe6530fb00adb467f26e2c8f119fef284e1e9b6c92f0634f403ee3e7913
SHA256 b423d100e7aa2e576c8f21586f1d8924b34c3e9ed4cfdba40d121e21c3618445 Decoded PowerShell script
URL hxxp://116.0.56.101:9191/images/Distribution.exe AnyDesk installer distributed by threat actors
URL hxxp://119.3.12.54:8000/identity_helper.exe URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://159.65.130.146:4444/a URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://159.65.130.146:4444/svchost.exe URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://185.232.92.32:8888/all.ps1 URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://185.232.92.32:8888/Logs.txt URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://185.232.92.32:8888/SentinelAgentCore.dll URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://185.232.92.32:8888/sentinelui.exe URL observed in ScreenConnect attacks. Payload not retrieved.
URL hxxp://207.246.74.189:804/download/Diablo.log Malicious stealer. File has properties that identify it as Sophos ML Model model.dll
URL hxxp://91.238.181.238/a 3818bb7adf60f8c2aeb5fe8c59b81fc7eb7f1471a80932610dc9a294ba7ba543
URL hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe Installer for ScreenConnect distributed by threat actors.
URL hxxps://transfer.sh/get/HcrhQuN0YC/temp3.exe Installer for SimpleHelp remote access utility distributed by threat actors.

Additional Resources

Updated Feb. 23, 2024, at 6:13 a.m. PT to add additional information to the Executive Summary, Scope of Attack and Mitigations sections, including an update from CISA and other news. Added a Next-Generation Firewall Threat Prevention signature. 

Updated Feb. 29, 2024, at 12:40 p.m. PT to add new IoCs from Sophos, an Additional Resources section, and expanded protections for Next-Generation Firewall. 

Updated March 4, 2024, at 7:00 a.m. PT to add IPs to protections for Next-Generation Firewall. 

Enlarged Image