Screenconnect

Hot on the heels of my last article about MSP owners having everything all eggs in one basket shortly after that we all heard about the ScreenConnect incident.

A timely reminder again that we have risks in our businesses often thanks to our employees and tools. Many of the threats that exist are frequently generated by the tools we all use.

What happened

On Monday, February 19th MSPs were instructed to update their on-premise instances of ScreenConnect immediately. Connectwise at that point had already patched their cloud environments.

To protect its partners ConnectWise backdated upgrade patches for the last 20 releases too. In short, Connectwise has taken all the appropriate steps you would expect. However criminal groups did not waste time.

Enter the cybercriminals

By Friday of that week, Mandiant had identified mass exploitation of the vulnerabilities by the threat actors. In a post on the Mandiant website, they shared the following-

Many of them will deploy ransomware and conduct multifaceted exortion

Huntress had shared-

We're seeing such a variety of different attempts. - John Hammond, Principal Security Research at Huntress.

One organization, UnitedHealth Group's Change Healthcare was experiencing slowdowns at pharmacies due to a strain of Lockbit malware related to the ScreenConnect vulnerabilities. In an 8-K filing with the U.S. Securities and Exchange Commission, they had identified a suspected nation-state-associated cyber security threat actor had gained access to some of their systems.

Indeed, CISA issued a notice stating that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they cannot update to the latest version.

ConnectWise states in their advisory that these vulnerabilities are rated as “Critical—Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems”. The two vulnerabilities are:

• CVE-2024-1709 (CWE-288 ) — Authentication Bypass Using Alternate Path or ChannelBase CVSS score of 10, indicating “Critical”
• CVE-2024-1708 (CWE-22 ) — Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)Base CVSS score of 8.4, still considered “High Priority”

The vulnerabilities involved authentication bypass and path traversal issues within the server software itself, not the client software that is installed on the end-user devices. Attackers have found that they can deploy malware to servers or workstations with the client software installed. Sophos has evidence that attacks against both servers and client machines are currently underway.

Patching the server will not remove any malware or webshells attackers manage to deploy before patching and any compromised environments need to be investigated.

History repeats itself

As I said last week, in the MSP industry the very tools we use to support our clients and our employees represent an immense risk.

To help reduce your risk or protect yourself consider the following-

• Audit your environment on a consistent basis.
• Leverage automation that tracks changes in your environment.
• Leverage zero-trust tools.
• Reduce your tool set where possible.
• Dump your on-prem equipment and consider SaaS.
• Ensure you conduct a yearly penetration test by a third-party provider.

Some great reference resources for you to investigate closer-

Huntress has an amazingly great write-up. They reference a certain Windows ID that is worth reviewing for further insight too. Today is Connectwise, tomorrow it will be somebody else.

Securely Yours,

Scott