Security researchers have uncovered alarming news about popular remote access tool, ConnectWise ScreenConnect. The tool, used by over a million companies worldwide, has been found to have two exploitable vulnerabilities, being abused by hackers to deploy ransomware and steal sensitive data.
Cybersecurity powerhouse Mandiant reported on Friday that it had discovered the mass exploitation of the flaws in ConnectWise ScreenConnect. This remote access tool, commonly used by IT and technicians to provide online support, is now being targeted by malicious attackers. The vulnerabilities in question are CVE-2024-1709, an easily exploitable authentication bypass, and CVE-2024-1708, a path traversal vulnerability that allows for remote planting of malicious code on affected systems.
In response to these findings, ConnectWise released security patches on February 19 and urged their customers to install them immediately. Despite this warning, thousands of servers are still vulnerable, as revealed by data from the Shadowserver Foundation. Each of these vulnerable servers has the potential to manage up to 150,000 customer devices, making the situation all the more critical.
Mandiant also warned that they have identified “various threat actors” exploiting the vulnerabilities. Of these actors, many are deploying ransomware and carrying out multifaceted extortion. However, the specific groups behind these attacks have not been named.
In addition to Mandiant’s findings, Finnish cybersecurity firm WithSecure has also reported “en-mass exploitation” of the ScreenConnect vulnerabilities by multiple threat actors. These hackers are using the security flaws to deploy various malicious activities, including password stealers, backdoors, and even ransomware. In a particular case, WithSecure observed hackers planting a Windows variant of the KrustyLoader backdoor, similar to the backdoors used in recent attacks on Ivanti’s corporate VPN software.
Sophos and Huntress, two other security research firms, have also observed attacks exploiting the ConnectWise vulnerabilities. The LockBit ransomware gang, in particular, has been linked to using these exploits to carry out attacks. This news comes just days after an international law enforcement operation disrupted the operations of this notorious Russia-linked cybercrime gang.
Huntress reported that they have seen a “significant number” of adversaries using the exploits for various malicious activities, including deploying cryptocurrency mining software, installing additional remote access tools, and creating new user accounts on compromised machines. The exact number of affected customers and end-users is yet to be determined, and ConnectWise has not responded to inquiries about the extent of the issue.
ConnectWise was scheduled to have an interview with TechCrunch’s CISO Patrick Beggs on Monday, but the company canceled it without providing a reason. If you believe you may be affected by this vulnerability, you can contact TechCrunch securely through Signal or email them. Alternatively, you can reach out to them via SecureDrop.