Urgent Security Alert: Critical ConnectWise ScreenConnect Flaw Actively Exploited to Deploy Malware
A critical vulnerability in ConnectWise ScreenConnect is being actively exploited by cybercriminals to gain unauthorized access to systems and deploy malicious payloads, including the notorious AsyncRAT. This remote access trojan (RAT) grants attackers significant control over compromised devices, creating a severe security risk for businesses and IT service providers who rely on this popular remote support software.
The vulnerability, tracked as CVE-2024-1709, is a critical authentication bypass flaw with a maximum CVSS score of 10.0, indicating the highest possible severity. It affects on-premise versions of ScreenConnect 23.9.7 and earlier. The flaw allows an unauthenticated attacker to bypass security checks and create a new administrator-level account on a vulnerable server, effectively handing them the keys to the kingdom.
Once administrative access is gained, attackers can leverage ScreenConnect’s legitimate remote management features to execute their malicious campaigns. This “living off the land” technique makes their activity harder to detect, as they are using trusted software to perform their actions.
The Attack Chain: From Exploit to Infection
Security researchers have observed a clear and dangerous attack pattern emerging in the wild. Here’s how cybercriminals are turning this vulnerability into a full-blown infection:
- Exploitation: The attacker targets an unpatched, internet-facing ScreenConnect server and exploits the CVE-2024-1709 flaw.
- Account Creation: They use the exploit to create a new administrator user on the ScreenConnect instance.
- Payload Delivery: Posing as a legitimate administrator, the attacker uses ScreenConnect’s built-in functionality to connect to endpoints and run malicious commands.
- Malware Deployment: These commands typically involve downloading and executing a payload, which has been identified in multiple incidents as AsyncRAT.
AsyncRAT is a powerful and versatile remote access trojan that gives attackers a wide range of capabilities, including keylogging, screen recording, credential theft, file exfiltration, and the ability to drop additional malware like ransomware. An infection can lead to devastating consequences, from data breaches to complete network compromise.
Who is at Risk?
This vulnerability primarily affects organizations running on-premise (self-hosted) versions of ConnectWise ScreenConnect. Any server running version 23.9.7 or older should be considered extremely vulnerable and an immediate target for attackers.
Managed Service Providers (MSPs) and IT departments are at particularly high risk, as ScreenConnect is a cornerstone of their operations for providing remote support to clients. A compromise of an MSP’s ScreenConnect server could give attackers a gateway into the networks of all their clients.
ConnectWise has confirmed that its cloud-hosted instances have already been patched and are not vulnerable.
Actionable Steps to Protect Your Systems Immediately
Due to the critical nature of this vulnerability and the active exploitation, immediate action is required. If you are running a self-hosted ScreenConnect server, follow these steps without delay.
Patch Immediately: This is the single most important step. Upgrade your ScreenConnect instance to version 23.9.8 or newer. This version contains the security fix that closes the authentication bypass vulnerability. Do not wait—attackers are actively scanning the internet for unpatched servers.
Investigate for Signs of Compromise: Because this flaw has been exploited for some time, you must check for malicious activity. Review the user list within your ScreenConnect setup for any unrecognized or suspicious administrator accounts, especially any created on or after February 19, 2024. Remove any unauthorized users immediately.
Hunt for Malicious Payloads: Check for suspicious files, particularly in common temporary directories like
C:\Windows\Temp\. Attackers often use these locations to stage their payloads. Examine running processes and network connections for any unusual activity originating from the ScreenConnect server or its managed endpoints.Enhance Security Posture: Use this incident as an opportunity to review and harden your security controls. Ensure that administrative interfaces like ScreenConnect are not unnecessarily exposed to the public internet. Implement multi-factor authentication (MFA) where possible and deploy robust Endpoint Detection and Response (EDR) solutions to help detect and block post-exploitation activity.
The exploitation of the ScreenConnect vulnerability is a stark reminder of how quickly threat actors can weaponize a critical flaw. Proactive patching and vigilant security monitoring are essential to defending against these rapidly evolving threats.
Source: https://securityaffairs.com/182090/malware/attackers-abuse-connectwise-screenconnect-to-drop-asyncrat.html
