Summary

On Feb. 19, 2024, the enterprise software provider ConnectWise disclosed the presence of two severe vulnerabilities in their ScreenConnect product.  

ScreenConnect is an IT administration portal designed to provide graphical remote access to many devices (ScreenConnect clients) through a single central web utility (the ScreenConnect application server). The two vulnerabilities, named CVE-2024-1709 and CVE-2024-1708, reside in the ScreenConnect application server. They can be combined to remotely execute code and compromise the ScreenConnect server. 

As we proceed, we will evaluate the exploitation process in a lab environment, gauge the potential impact, and share several strategies for using behavioral analysis to detect exploitation of ScreenConnect servers. 

Technical Analysis of CVE-2024-1709

Authentication Bypass

Most elements of ScreenConnect server administration are secured behind a web login page that will not allow a user to proceed without proper credentials (Figure 1). 

Figure 1: ScreenConnect Login Portal

CVE-2024-1709 is an authentication bypass that allows even an unskilled attacker to bypass this page and directly access ScreenConnect administrator functionality. Ultimately, an attacker adds an administrative user with a predetermined username and password, then logs into the created account to instantly gain administrative privileges. For example, launching our Proof-of-Concept (PoC) script to create an account named “Administrator” with a lengthy password (Figure 2).

Figure 2: Authentication Bypass Script

The addition of this created account will be recorded in ScreenConnect’s Users.xml file. It contains the username, email, last activity and login information, which are useful artifacts for identifying potential malicious activity. It is strongly recommended that this is one of the files included regularly in any internal audit. Figure 3 is an example of one of these Users.xml files that was taken from one of our compromised Honeypots. 

Figure 3: Compromised Users.xml

With the account added, an attacker can simply log into the portal using the same credentials they supplied during exploitation. They are now an administrator of the ScreenConnect server (Figure 4).

Figure 4: Administrator Login

Note with extreme caution that, even without additional exploitation, the attacker now has an alarming amount of access to the victim’s IT capabilities. A ScreenConnect server administrator can view all ScreenConnect client desktops remotely, transfer files, and deploy software on them (Figure 5). This could enable mass compromise or lateral movement through the ScreenConnect client devices.

Figure 5: Send File

The use of remote monitoring and management (RMM) tools in the deployment of malicious payloads is something that we first brought to light in 2022 and was further supported by the CISA advisory in 2023. These tools are heavily relied upon in the MSP space, meaning the impact of this exploit could have significant financial and reputational ramifications for any organization that has not deployed a patch. 

These risk factors make CVE-2024-1709 a dangerous issue when used alone. However, alongside CVE-2024-1708, an attacker might go a step further. 

Technical Analysis of CVE-2024-1708

Path Traversal to Code Execution on the ScreenConnect Server 

ScreenConnect offers administrators the ability to upload custom extensions that expand ScreenConnect’s client and server functionalities. Extensions are supplied to the ScreenConnect application server as a ZIP file before ultimately being unpacked to the ScreenConnect App_Extensions directory (Figure 6). 

 Figure 6: Extensions Folder

The extension upload feature ultimately contained another vulnerability: CVE-2024-1708. This path traversal vulnerability allows an attacker to craft an extension archive containing a malicious ASP.NET file that can “break out” of its designated extension folder and end up in the root of the App_Extensions folder, as depicted here (Figure 7): 

Figure 7: App_Extensions Folder

As this folder is web-accessible, an attacker can now execute the malicious ASP.NET file by browsing to it. This executes code on the server hosting the ScreenConnect installation, allowing a determined attacker to compromise the ScreenConnect server itself.  

Note that this approach contains an opportunity for behavioral detection. Properly formed ScreenConnect extensions each reside in their own GUID-delimited folders (as in the “fa36…” folder above). A lone file dropped in the root of the App_Extensions directory is unlikely to be from a legitimate ScreenConnect extension and could be used as one indicator of malicious activity. However, deploying a web shell isn’t the only method for remotely executing code on the ScreenConnect server, so this approach alone is not adequate. 

As mentioned in our Threat Intelligence blog, Blackpoint has already observed the authentication bypass and subsequent detonation of code to install persistence, through the use of a secondary RMM, on the server occurring in under two minutes. 

Detection

Client RCE vs. Server RCE

We’ve explored two methods for achieving code execution using this suite of ScreenConnect vulnerabilities:  

  • One on ScreenConnect Client devices through using the authentication bypass CVE to take advantage of legitimate ScreenConnect Client deployment functionality 
  • One on the ScreenConnect Server, through deployment of a web shell or malicious extension 

We’ve also identified methods of detecting each type of exploitation. 

A key behavioral difference lies in the processes used to launch attacker-supplied code. When a ScreenConnect server administrator supplies a file or command to run on a ScreenConnect client, the command is executed through the “ScreenConnect.ClientService.Exe” process. Because both exploitative administrators and genuine administrators can utilize this functionality, it won’t always be clear that a detection based on this behavior indicates malicious intent—it could simply indicate a normal deployment of software using ScreenConnect’s built-in features. In this instance, a cross examination of the user against the Users.xml would increase one’s confidence in determining this as threat actor behavior. 

However, the second attack path described (remote code execution on the ScreenConnect application server) contains a possibility for behavioral detection. The ScreenConnect application server runs under the process name “ScreenConnect.Service.exe”. It is therefore possible to identify malicious remote exploitation of the ScreenConnect server by searching for instances where ScreenConnect.Service.exe launched the Windows command prompt or other suspicious processes. An example is shown below (Figure 8): 

Figure 8: ScreenConnect.Service.Exe

This logic may assist in identifying ScreenConnect servers that were compromised or attacked: 

  • ScreenConnect.Server.Exe running “cmd” or a scripting interpreter is an anomaly, and likely malicious. 
  • ScreenConnect.ClientServer.exe running “cmd” or a scripting interpreter is not inherently malicious and could result from both normal usage of ScreenConnect and an attacker moving laterally through ScreenConnect clients. 

Conclusion

Risk: High 

Impact: High 

CVEs 2024-1709 and 2024-1708 have sparked mass concern due to 

  • the ease of exploitation, 
  • the internet-facing nature of the affected software, and 
  • the potential to mass deploy ransomware or other malicious software 

to compromise the ScreenConnect client devices once the ScreenConnect application server is administrated by an attacker. While actions have been undertaken by ConnectWise to prevent abuse of these vulnerabilities, it is still imperative that systems are patched. Blackpoint’s Adversary Pursuit Group (APG) and SOC are continuing to monitor these events and help customers protect their systems. However, if you have been impacted by these attacks, please get in touch with us. The Blackpoint team is available to offer help and guidance where possible. 

Written By

Members of the Adversary Pursuit Group (APG), including:

Robel Campbell, Reverse Engineer

Robel Campbell is a distinguished cybersecurity professional with over eight years of experience, including roles as a penetration tester, vulnerability researcher, and reverse engineer. His extensive background is further enriched by a decade of service in the US Army as a cyber officer, culminating in the rank of Captain.

Connect with Robel on LinkedIn. 

Want something new to listen to?

Check out Blackpoint's podcasts where you can hear expert insights and candid discussions about cybersecurity, incident response, entrepreneurship, and elite performance.