ScreenConnect Vulnerability...How Bad Is It?

"Uh Oh" to "Oh Sh*t" in 7 Days

Somethign else was brewing while LockBit and law enforcement tried to outbluff each other. A major vulnerability in ConnectWise’s ScreenConnect remote access software…and it’s bad…very bad.

Some background to set the stage. ScreenConnect allows organizations to remotely access and manage systems. It’s great for IT teams and Managed Service Providers (“MSP”) who need to manage many systems.

No surprise here, attackers also love remote access software. When a vulnerability pops up in remote access software, attackers stock up on caffeine and have at it…

We can understand how many ScreenConnect systems are accessible to the Internet with Shodan. As of this post, we’re seeing over 12K devices. More than half of which are located in the United States.

Source: Shodan

Let’s unpack how quickly this unfolded. And we’ll all go to hacker school, where I’ll show you how this exploit works. Don’t worry, no pop quiz at the end, just knowledge.

-Jason

ScreenConnect Vulnerability
From “Uh Oh” to “Oh Sh*t” in 7 Days

This escalated quickly. Let’s dig into the timeline:

February 13th: An independent security researcher responsibly disclosed the vulnerability to ConnectWise’s Trust Center. Much better than just releasing it to the public…hold that thought…

February 14th: Valentine’s Day was ruined as ConnectWise validated the vulnerability and escalated the issue to their Engineering team, who developed and deployed a mitigation to their cloud-hosted instances. ConnectWise also confirmed that attackers had not been scanning for the vulnerability.

February 15th: Connectwise deployed a proper patch to the cloud-hosted ScreenConnect instances to augment the mitigation measure. Still no scanning…

February 19th: Engineering continued the patch parade with an official patch for on-premise ScreenConnect servers. They published a security bulletin to their Trust Center to inform customers and get the patching process started. Security companies popped up like a Meerkat and said they created a proof-of-concept exploit for the vulnerability. Thankfully, they responsibly withheld details to make it harder for attackers.

February 20th: Attackers joined the Meerkat party and started to scan the Internet for exposed ScreenConnect servers, presumably while they worked on developing an exploit.

February 21st: Because people can’t help themselves, security researchers and security companies released proof-of-concept exploit code (more on that in the next section). This made it easier for attackers to grab the exploit code and begin gaining access to vulnerable systems, of which there would be many because it had only been 48 hours since the patch became public.

February 23rd: Reports emerged detailing post-exploitation activity. Spoiler alert, none of it was good (more on that in a later section).

Now that we understand how this all played out, let’s dig into the fun parts. How did the exploit work?

ScreenConnect Vulnerability
Easy Peasy Exploitability

Allow me to teach you how to exploit this vulnerability…are you ready?

Okay…here we go.

/

That’s not a typo. That’s it…that’s the exploit…a forward slash. One character.

As Huntress shows us in their blog post, the vulnerability targets ScreenConnect’s Setup Wizard. You access a static URL for the Setup Wizard and then add the forward slash…

Source: Huntress

And voila, you access the Setup Wizard…

Source: Huntress

This access allows an attacker to create a new administrator account for ScreenConnect and gain the ability to execute remote commands on the system with full system privileges.

Now, I’m sure you’re thinking that people are great, and they would follow Uncle Ben’s advice to Spiderman to use this power responsibly.

That, of course, would be a fantasy. Attackers wasted no time wreaking havoc…which we’ll cover in the next section.

ScreenConnect Vulnerability
Post-Exploitation Antics

no laws no rules GIF by The Blacklist

Gif by theblacklist on Giphy

With an exploit this easy and limited time for organizations to patch, you know you’re in for a bad day. Huntress is on point with a great breakdown of what attackers did after running the exploit.

Here’s the tldr:

  1. Ransomware: Obviously.

  2. Cryptocurrency Mining: A little extra cash by stealing resources from compromised systems to mine some crypto.

  3. Hacking Tools: The defacto standard for many attackers, Cobalt Strike’s post-exploitation framework is a complete hacker toolkit to expand their access in the environment.

  4. More Remote Access: When you get access to a system, it always helps to have a backup. Some attackers opted to install Remote Monitoring and Management (“RMM”) tools or remote access tools.

One interesting observation. Some threat actors ran scripts to determine the privilege level they had on the system. This suggests that they may have had access to so many compromised systems that they took extra steps to find which systems were the best of the best to facilitate a future attack. Even attackers get indigestion when sitting in front of so much tasty access.

By this point, you’re probably (maybe, hopefully) asking what organizations should do to protect themselves.

I’m so glad you asked…

ScreenConnect Vulnerability
Stop the Bleeding

Cancel Season 8 GIF by The Office

Gif by theoffice on Giphy

Let’s cover the basics:

  1. Patch your system! You need to update to version 23.9.8 or higher.

  2. Look for unauthorized users: Check the current ScreenConnect users to confirm if they are all legitimate.

  3. Review the ScreenConnect audit log: Check for any suspicious activity in the audit report. While you’re at it, create some triggers for better logging.

  4. Review ConnectWise Extensions: Attackers may have installed malicious extensions. Review the installed extension and look for any malicious extensions.

Mandiant has a full remediation hardening guide. If you or your MSP runs ScreenConnect, this should not wait for your summer reading list. Do it now.

News
What Else is Happening?

📜 President Joe Biden signed an executive order to prevent the bulk sale of Americans’ private data to “countries of concern.” Unsurprisingly, that list includes China, Russia, Iran, and North Korea. Private data includes genomic, biometric, personal health, geolocation, financial, and other forms of Personally Identifiable Information. I guess these countries will have to hack us to steal our data instead…oh wait…they already do that too.

🇮🇷 The US Department of Justice ("DOJ”) charged a 39-year-old Iranian man for his role in cyber attacks against U.S. governments and defense companies between 2016 and 2021. Interestingly, this person was employed at an Iranian cybersecurity company that acted as a front for offensive cyber operations. I think his colleagues owe him lunch now for taking the blame.

🐡 Another phishing kit emerges capable of mimicking single-sign-on pages and using phishing emails, smishing, and vishing (sorry no, quishing) to trick users into given up their credentials.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.