February 23, 2024 at 07:33AM
ConnectWise’s ScreenConnect product faced a critical vulnerability, leading to widespread exploitation for ransomware and other malware. The company issued patches for an authentication bypass flaw and path traversal issue, now assigned CVE identifiers. Exploited flaws, dubbed SlashAndGrab, allowed unauthorized account creation and arbitrary code execution. Several malicious activities were reported, with over 8,200 vulnerable instances identified. CISA added the authentication bypass to its Known Exploited Vulnerabilities Catalog.
Key takeaways from the meeting notes:
1. ConnectWise’s ScreenConnect remote desktop access product is affected by critical vulnerabilities leading to widespread exploitation for delivering ransomware and other types of malware.
2. ConnectWise released patches for a critical authentication bypass flaw and a high-severity path traversal issue on February 19. The vulnerabilities did not have CVE identifiers initially but have now been assigned CVE-2024-1709 and CVE-2024-1708, respectively.
3. Huntress disclosed technical details of the vulnerabilities and reported seeing widespread exploitation, including the delivery of LockBit ransomware, Cobalt Strike, SSH tunnels, remote management tools, and cryptocurrency miners to victims such as local governments, emergency systems, and healthcare organizations.
4. Sophos also reported the delivery of LockBit ransomware, AsyncRAT, various infostealers, and SimpleHelp remote access software via the exploitation of the ScreenConnect vulnerability, despite a recent law enforcement operation against the LockBit cybercrime enterprise.
5. The Shadowserver Foundation found over 8,200 internet-exposed and vulnerable instances of ScreenConnect, with a major percentage in the United States.
6. CISA has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog and is aware of exploitation in ransomware attacks.
Please let me know if further details or specific actions need to be addressed.