February 23, 2024 at 10:13AM
A critical security vulnerability in ConnectWise ScreenConnect has been identified, with potential for a large-scale supply-chain attack. Exploitation can allow hackers to access numerous servers and endpoints, including those of managed service providers. Multiple CVEs have been disclosed, with active exploitation reported. Organizations are advised to apply patches and monitor for compromise indicators.
From the meeting notes, the key takeaways are:
– A critical security vulnerability in the ConnectWise ScreenConnect remote desktop management service is being exploited, with potential for a supply-chain attack.
– Researchers warn of the possibility of the “biggest cybersecurity incident of 2024” due to the exploitation, allowing remote access to thousands of servers and endpoints.
– The vulnerabilities have now received tracking CVEs, with one of them being a max-severity authentication bypass (CVE-2024-1709, CVSS 10).
– The vulnerabilities are actively being exploited in the wild, with a significant number of vulnerable instances exposed to the Internet.
– Initial access brokers (IABs) are utilizing the bugs to gain access to endpoints, potentially selling that access to ransomware groups.
– Threat actors are observed using malicious extensions to deploy ransomware and additional malware, with indications that it may bypass preventative security software.
– The US Cybersecurity and Infrastructure Security Agency (CISA) has added the bugs to its Known Exploited Vulnerabilities catalog.
– Mitigation for the vulnerabilities involves applying the patches issued with ScreenConnect version 23.9.8 and monitoring indicators of compromise (IoCs) listed by ConnectWise.
Let me know if you need any further details or assistance with these notes.