On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.
While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for both CVEs.
Despite these updates, however, malicious actors aren’t giving up just yet, with reports of new attack vectors still coming in more than a month after the initial issue was detected. Here’s what enterprises need to know about these remote access risks.
Opportunity knocks: Attackers go all-in on ScreenConnect
The first round of attacks reported for ScreenConnect was tied to malware delivery. One week after the vulnerability was reported, however, persistent phishing campaigns were discovered that targeted both the healthcare industry and cryptocurrency users.
By February 27, ransomware groups such as Black Basta and Bl00dy began exploiting these vulnerabilities. The following week saw patches from ScreenConnect to address these evolving issues, and for several weeks the volume of attacks declined.
On March 27, however, new ScreenConnect threats emerged. Both Chinese threat group UNC5274 and Initial Access Brokers began using F5 BIG-IP (CVE-2023-46747) and the ScreenConnect vulnerabilities to actively exploit organizations.
Put ..
Support the originator by clicking the read the rest link below.
