ScreenConnect vulnerabilities are being actively exploited by cybercriminals, according to new research, and security experts are urging users to patch remote desktop access software.
The flaws discovered in ScreenConnect, the software giant ConnectWiseThe Remote Desktop Access product specifically affects versions 23.9.7 and earlier.
CVE-2024-1708 and CVE-2024-1709 They were classified as high and critical severity in the CVSS of the National Vulnerability Database, respectively.
CVE-2024-1708 is a path traversal vulnerability that could be exploited by attackers to access directories beyond restricted areas, potentially leading to system compromise or disclosure of sensitive information.
CVE-2024-1709 is a authentication bypass flaw that would allow a threat actor to gain direct access to sensitive information and critical systems, hence its critical severity rating, indicating that it can be exploited with minimal effort and can cause significant disruption.
Vulnerability analysis by security specialists Trend Micro described This flaw is particularly concerning due to the simplicity with which attackers can bypass authentication and compromise the system.
“CVE-2024-1709 is especially alarming because it is incredibly trivial to exploit,” the researchers said. “When an attacker successfully adds unauthorized accounts to the ConnectWise server, those accounts can be abused to execute code.”
In an advisory published on February 20, ConnectWise saying The flaws were reported through its vulnerability disclosure channel on February 13, releasing patches for affected systems and stating that there were no indicators that the flaws had been exploited at that time.
Black Basta and Bl00dy, and others sniffing out ScreenConnect weaknesses
On February 27, Trend Micro reported its telemetry discovered that “various groups of threat actors” were exploiting vulnerabilities in ScreenConnect.
Analysts at the security company discovered that Cobalt Strike beacons affiliated with the Black Basta ransomware collective had been deployed on vulnerable versions of ScreenConnect.
Threat actors were observed attempting to escalate privileges to facilitate lateral movement within the network, as well as access the active directory to identify future targets.
Since it was first observed in 2022, the Black Basta group has become a very active threat group in the ransomware as a service (RaaS) space.
The group has had a busy start to 2024, claiming responsibility for an attack on a British utility company. Southern Waterwhich allegedly exfiltrated 750 GB of sensitive data, including passports, ID cards and employee information.
Black Basta was not the only group that explored using adversary simulation tools to exploit the flaw, according to Trend Micro. Another unidentified group was observed deploying Cobalt Strike payloads and defense evasion techniques on vulnerable networks.
Trend Micro also revealed a ransomware operator called 'Bl00dy' that actively exploits vulnerabilities in ScreenConnect, implementing leaked constructors of the conti and BlockBit collectives.
Recognizing the fact that these flaws are already being attacked and the potential damage that threat actors could cause if successful, Trend Micro emphasized the importance of companies patching their systems as soon as possible.
“If exploited, these vulnerabilities could compromise sensitive data, disrupt business operations, and inflict significant financial losses. “The fact that threat actors are actively using these weaknesses to distribute ransomware adds a layer of urgency to take immediate corrective action.”