Site icon Sophos News

ConnectWise sounds the alarm on two vulnerabilities

[Note: for further information on this topic, please see the X-Ops blog article here]

On February 19, 2024, ConnectWise released a security advisory for its remote monitoring and management (RMM) software. The advisory highlighted two vulnerabilities that impact older versions of ScreenConnect and have been mitigated in version 23.9.8 and later. ConnectWise states in the advisory these vulnerabilities are rated as “Critical—Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems”. The two vulnerabilities are:

Cloud-hosted implementations of ScreenConnect, including screenconnect.com and hostedrmm.com, have already received updates to address these vulnerabilities. Self-hosted (on-premise) instances remain at risk until they are manually upgraded, and it is our recommendation to patch to ScreenConnect version 23.9.8 immediately. The upgrade is available on ScreenConnect’s download page.

On February 21, proof of concept (PoC) code was released on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. ConnectWise has also updated their initial report to include observed, active exploitation in the wild of these vulnerabilities.

What you should do

What Sophos is doing

Sophos is actively tracking the ongoing developments with these ScreenConnect vulnerabilities and their exploitation. The following detection rules were previously implemented to identify abuse of ScreenConnect and are still viable for identifying post-exploitation activity.

We are continuing to ensure protection and detection coverage as changes happen and have released a prevention rule (ATK/SCBypass-A) and are testing similar network-based (IPS) signatures to combat the public proof of concept and other future abuse.

Our Incident Response team has published eight XDR queries to their public GitHub repo:

For MDR (Managed Detection and Response) customers, we have initiated a customer-wide threat hunting campaign, and our MDR analysts will promptly reach out if any activity is observed. Our MDR team will be diligently monitoring our customer environments for suspicious behavior and responding as necessary. We will provide further updates as more information becomes available.

Acknowledgements

Anthony Bradshaw, Paul Jaramillo, Jordon Olness, and Benjamin Sollman assisted in the development of this post.

Exit mobile version