Sources

https://www.connectwise.com/company/trust/security-bulletins/connectwise- ScreenConnect-23.9.8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-1709

Risks

Vulnerabilities in ConnectWise ScreenConnect prior to version v23.9.8 allow a malicious attacker to gain administrator access on a ScreenConnect server. From here malicious attackers can use the ScreenConnect functionality to execute malicious code on all the connected systems. These vulnerabilities could lead to a complete compromise of your business.

The vulnerabilities CVE-2024-1708 and CVE-2024-1709 are currently being actively exploited, with multiple groups of ransomware actors attempting to take advantage of these weaknesses.

Both vulnerabilities are trivial to exploit, which makes them an appealing target for cybercriminals.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. Update Self-

hosted instances of ScreenConnect serve tor version 23.9.8 or later immediately!

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. Indicators and hunting rules can be found in the references below.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the- ScreenConnect-authentication-bypass
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe- 288-2
https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708- cve-2024-1709/
https://www.bleepingcomputer.com/news/security/ScreenConnect-critical- bug-now-under-attack-as-exploit-code-emerges