The ConnectWise ScreenConnect exploit has been making the news this month. The bad news is that this is a serious vulnerability that is being used to insert ransomware and malware into breached systems. The good news is that if you are an Augur subscriber, you benefited from significant advance protection against this emerging threat.

‍

What Is ConnectWise ScreenConnect?

A research post from Palo Alto Unit 42 on February 24 explains that the ConnectWise ScreenConnect exploit involves two critical vulnerabilities identified as CVE-2024-1708 and CVE-2024-1709. CVE-2024-1708 is a path-traversal vulnerability that allows an attacker to execute remote code or directly impact confidential data or critical systems, with a severity score of 8.4 (High). CVE-2024-1709 is an authentication bypass vulnerability that allows an attacker direct access to confidential information or critical systems, with a severity score of 10.0 (Critical)​​. 

‍

Is ConnectWise ScreenConnect a Serious Threat?

According to an analysis piece published by Sophos, the impact of ConnectWise is significant. Since their public disclosure, there has been a noticeable increase in telemetry events involving ScreenConnect, with threat actors leveraging the exploits to launch a wide variety of attacks and deliver different types of malware to target machines. These attacks include deploying ransomware like LockBit and other malware variants like AsyncRAT and password stealers. The vulnerabilities have also been used to push other remote access clients to target machines, further compromising system security​​. 

‍

Mitigation and Response

To mitigate the risks, ConnectWise has released patches for affected versions of ScreenConnect (versions 23.9.7 and prior). Organizations using ConnectWise-hosted ScreenConnect instances are recommended to take no further action, as these instances have been updated to remediate the issue. However, organizations using on-premise instances should immediately upgrade their ScreenConnect instances to version 23.9.8 or later to address these vulnerabilities​​. To read more about mitigation, you can check out this post on the Lodestone blog.

‍

Our Predictions

Augur predicted three important IPs connected to the ConnectWise ScreenConnect, and threat research shows that two (1115[.]133[.]514 and 115[.]133[.]515) of them are still being reported as actively in use. The IPs were part of CIDRs predicted to be malicious an average of 240 days ago.

‍

115[.]133[.]514 - 300+ days advance protection

Predicted in Q1 of 2023 and confirmed Feb 13, 2024 (sources: Alien Vault, Hybrid Analysis and TruKno) 

‍

115[.]133[.]515  - 300+ days advance protection

Predicted in Q1 of 2023 and confirmed Feb 13, 2024 (sources: Alien Vault, Hybrid Analysis and TruKno)

‍

91[.]92[.]254[.]193 - 120+ days of advance protection

Predicted in Q3 of 2023, confirmed Feb 13, 2024 (sources: Alien Vault, Spamhaus)

‍

‍

Get Proactive Protection Today!

You can learn more about how Augur predicts the future here and how it provides unique protection against emerging vulnerabilities, novel threats and zero-day exploits. If you want to talk to someone about how Augur’s predictive intelligence can improve your overall security posture, email us at augur@seclytics.com.

‍

Stay in The Loop

To stay up to date on all the latest SecLytics news and events, check out our blog or, even better, follow us on LinkedIn!