ConnectWise ScreenConnect Vulnerabilities 

Blackpoint is continuing to monitor the exploitation in the wild of the ScreenConnect vulnerabilities.  

To recap: 

CVE numbers have been allocated to the exploits as follows: 

• CVE-2024-1709: An authentication bypass using an alternate path or channel (CVSS 10) 
• CVE-2024-1708: A path traversal issue (CVSS 8.4) 

Exploitation of these vulnerabilities is trivial. ConnectWise has provided guidance for mitigating attacks at their advisory page.

Our guidance remains the same: ensure ScreenConnect installations are patched to the latest version. 

Additionally, ConnectWise has provided version 23.9.10 that removes license restrictions, available from the ConnectWise website.  

Blackpoint’s Adversary Pursuit Group has been identifying and recording indicators of compromise (IoCs) from ongoing exploitation. The most common flow of compromise is threat actors compromising vulnerable ScreenConnect instances to establish persistence. In one instance, we identified a threat actor dropping a second remote access tool, SimpleHelp, as demonstrated in the diagram below: 

The Blackpoint SOC identified and stopped this attack from progressing further. 

We have observed the following indicators in the wild:

IP Address: 91.92.254.193 

Description: SimpleHelp Connection

IP Address: 98.159.157.56 

Description: SimpleHelp Connection

File Hash (SHA 256): 5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905 

Description: SimpleHelp Installer

Some of these indicators have also been identified by CISA as part of the BlackCat campaigns in the healthcare sector. While we cannot specifically confirm the behavior we observed was BlackCat activity (as the indicators are only related to SimpleHelp and do not contain additional BlackCat indicators), we do believe the common activity supports our assessment that threat actors are using this vulnerability to stage and perpetrate ransomware attacks.  

On Feb. 19, 2024, ConnectWise advised of two vulnerabilities in ScreenConnect versions 23.9.7 and prior. These vulnerabilities are rated critical: 

• CWE-288 Authentication bypass using an alternate path or channel (Severity 10) 
• CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”) (Severity 8.4)  

Both vulnerabilities could allow an attacker to remotely execute code or view and impact potentially sensitive data. 

If you use ScreenConnect, you should patch to version 23.9.8 immediately. Given the criticality of these vulnerabilities, if you are unable to patch, we recommend that you do not use ScreenConnect until you can patch. 

Blackpoint customers running Managed Application Control in blocking mode are protected against ScreenConnect. Be aware that previously approved installations are still approved – these approvals should be rejected until patched. Once vulnerable versions have been patched across all systems, Blackpoint customers can allow ScreenConnect execution via the Managed Application Control console. 

The Blackpoint SOC is also constantly monitoring for the use of ScreenConnect across our customer base and reaching out as we identify vulnerable versions. 

Blackpoint will continue to monitor this developing situation.

This blog has been updated continuously throughout the incident from February 20-22 and February 28.

• ConnectWise ScreenConnect 23.9.8 security fix
• Don’t arm the enemy. Safeguard your allies.
• Breaking Through the Screen

Nick Hyatt
Director of Threat Intelligence

Nick Hyatt has extensive expertise in technology, support, and information security, with experience spanning small businesses to Fortune 500 companies across various industries. He has a deep understanding and practical experience in incident response, threat intelligence, digital forensics, and malware analysis. His hands-on skills encompass malware forensics, data mapping, threat hunting, and e-discovery in diverse environments.

Connect with Nick on LinkedIn.