Two easily exploitable flaws in a popular remote access tool used by more than 1 million companies around the world are currently in mass exploitation, with hackers exploiting them to improve security, security researchers say. It is said to be deploying ransomware and stealing sensitive data.
Cybersecurity giant Mandiant said in a post Friday that it has “confirmed mass exploitation” of two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT departments and technicians to remotely provide technical support directly to customer systems over the Internet. ” he posted.
The two vulnerabilities are CVE-2024-1709, an authentication bypass vulnerability that researchers determined would be “embarrassingly easy” for attackers to exploit, and CVE-2024-1709, an authentication bypass vulnerability that researchers determined was “embarrassingly easy” for attackers to exploit. consists of CVE-2024-1708, a path traversal vulnerability that allows remote execution of the attack. , on vulnerable ConnectWise customer instances.
ConnectWise first disclosed the flaw on February 19th and urged on-premises customers to install the security patch immediately. However, thousands of servers remain vulnerable and According to data from Shadowserver Foundationeach of these servers can manage up to 150,000 customer devices.
Mandiant said it had identified “a variety of threat actors” exploiting the two flaws, and warned that “many of them will deploy ransomware and carry out multifaceted extortion,” but the attack was not specific. threat group.
Finnish cybersecurity company WithSecure said in a blog post on Monday that its researchers also observed “collective exploitation” of the ScreenConnect flaw by multiple attackers. According to WithSecure, these hackers are exploiting the vulnerabilities to steal passwords, backdoors, and even deploy ransomware.
WithSecure said it has also observed hackers exploiting this flaw to introduce a Windows variant of the KrustyLoader backdoor onto unpatched ScreenConnect systems. This is the same type of backdoor that was recently installed by hackers exploiting vulnerabilities in Ivanti's corporate VPN software. WithSecure said the activity has not yet been attributed to a specific threat group, but some have linked past activity to a Chinese-backed hacker group focused on espionage.
Security researchers from Sophos and Huntress announced last week that they observed the LockBit ransomware group launching an attack that exploited a vulnerability in ConnectWise — claiming to disrupt the operations of a notorious Russia-linked cybercrime group. This comes days after an international law enforcement operation.
Huntress said in its analysis that “numerous attackers” subsequently used the exploit to deploy ransomware, and “a significant number” of attackers used the exploit to deploy cryptocurrency mining software. He said he observed them installing additional “legitimate” remote access tools to maintain persistent access. It attacks the victim's network and creates new users on the compromised machine.
The number of ConnectWise ScreenConnect customers or end users affected by these vulnerabilities is not yet known, and a ConnectWise spokesperson did not respond to TechCrunch's questions. According to his website, the organization provides remote access technology to more than 1 million of his small businesses that manage more than 13 million devices.
ConnectWise on Sunday canceled a pre-scheduled interview with TechCrunch and CISO Patrick Beggs scheduled for Monday. Connectwise did not disclose the reason for the last-minute cancellation.
Are you affected by the ConnectWise vulnerability? You can contact Carly Page securely via Signal at +441536 853968 or by email at carly.page@techcrunch.com. You can also contact TechCrunch via SecureDrop.