Hackers are actively exploiting critical security flaws in ConnectWise’s remote desktop access tool just days after the software maker alerted customers of the vulnerabilities.

ConnectWise learned of the bugs – tracked as CVE-2024-1709 (with the highest severity rating of 10) and CVE-2024-1708 (8.4 out of 10) – in ScreenConnect February 13 through its vulnerability disclosure channel and notified the industry six days later.

A day later in an update to its notification, the company said it had received “notifications of suspicious activity that our incident response team has investigated” and published three IP addresses used by threat actors.

“Indicators of compromise (IOCs) look for malicious activity or threats,” ConnectWise wrote. “These indicators can be incorporated into your cybersecurity monitoring platform. They can help you stop a cyberattack that’s in progress. Plus, you can use IOCs to find ways to detect and stop ransomware, malware, and other cyberthreats before they cause data breaches.”

Remote Support Software a Target

ScreenConnect – formerly ConnectWise Control – is used by managed service providers (MSPs) and remote technicians to gain access into customer remote desktops and mobile systems for support purposes. In recent years, such remote support tools have come under attack by threat groups that see them as easy ways to compromise one product to gain access into multiple downstream IT environments.

That came into sharp focus in 2021, when the REvil group exploited a flaw in Kaseya’s Virtual System Administrator (VSA) remote monitoring and management (RMM) software and caused widespread downtime issues for more than 1,000 MSPs and customers.

The CVE-2024-1709 flaw is an authentication bypass vulnerability that could give attackers direct access to systems or confidential information. CVE-2024-1708 is a path-traversal vulnerability that could allow bad actors to executive remote code or directly impact that confidential data or critical systems.

ConnectWise is urging on-premises users to immediately upgrade their servers to ScreenConnect version 23.9.20.8817, which contain fixes that not only address the vulnerabilities but also improve the customer experience. Clouds running the software were remediated against both vulnerabilities on February 19.

In addition, ConnectWise removed license restrictions, which means those under maintenance can upgrade to the latest version of ScreenConnect.

Exploiting Flaw ‘Embarrassingly Easy’

The company initially said there was no evidence that the flaws were being exploited in the wild, but that changed a day later with the reports of “suspicious activity.” Cybersecurity vendors were not surprised that bad actors jumped on the flaw, with a number of them creating proofs-of-concepts (PoCs) showing how they could be exploited.

Researchers with Huntress noted in a report February 21 that ConnectWise’s notification of the flaws was “very sparse on technical details. There was not much information available as to what these vulnerabilities really consisted of, how they might be taken advantage of, or any other threat intelligence or indictors of compromise to hunt for.”

After recreating the exploit and attack change, they concluded that details about the vulnerabilities shouldn’t become public until ScreenConnect users had sufficient time to patch the software, adding that “it would be too dangerous for this information to be readily available to threat actors.”

However, given that other vendors were sharing their PoC exploits, Huntress researchers published what they found, and it came with a warning: “The ‘exploit’ is trivial and embarrassingly easy.”

They looked for differences in the code in the new patched version and the previous – and unpatched – version. “Creating a local testing environment for both of these states of the ScreenConnect software, we could easily see the delta that might clue us into the potential exploit,” they wrote.

A Lot of Possible Targets Out There

Analysts with Horizon3.ai wrote that the authentication bypass flaw “allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server. This vulnerability follows the theme of other recent vulnerabilities that allow attackers to reinitialize applications or create initial users after setup.”

Threat actors have a large playing field with these vulnerabilities. Palo Alto Networks’ Unit 42 threat intelligence group found that as of February 21, there were 18,188 unique IP addresses hosting ScreenConnect around the world, and earlier scans showed that almost three quarter of the hosts in the United States.

Unit 42 in its report wrote that they “assess with high confidence that this vulnerability will be actively targeted by various types of threat actors, including cybercriminals and nation-state actors, given the severity and scope of the vulnerability and the nature of the impacted product” and later noted ConnectWise’s confirmation of exploits in the wild.