Security researchers say a pair of easy-to-exploit flaws in a popular remote-access tool used by more than a million companies around the world are now being mass exploited, with hackers abusing the vulnerabilities to deploy ransomware and steal sensitive data.
Cybersecurity giant Mandiant said in a post on Friday that it has “identified mass exploitation” of the two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT and technicians to remotely provide technical support directly on customer systems over the internet.
The two vulnerabilities comprise CVE-2024-1709, an authentication bypass vulnerability that researchers deemed “embarrassingly easy” for attackers to exploit, and CVE-2024-1708, a path-traversal vulnerability that allows hackers to remotely plant malicious code, such as malware, on vulnerable ConnectWise customer instances.
ConnectWise first disclosed the flaws on February 19 and urged on-premise customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundation, and each of these servers can manage up to 150,000 customer devices.
Mandiant said it had identified “various threat actors” exploiting the two flaws and warned that “many of them will deploy ransomware and conduct multifaceted extortion,” but did not attribute the attacks to specific threat groups.
Finnish cybersecurity firm WithSecure said in a blog post Monday that its researchers have also observed “en-mass exploitation” of the ScreenConnect flaws from multiple threat actors. WithSecure said these hackers are exploiting the vulnerabilities to deploy password stealers, back doors, and in some cases ransomware.
WithSecure said it also observed hackers exploiting the flaws to deploy a Windows variant of the KrustyLoader back door on unpatched ScreenConnect systems, the same kind of back door planted by hackers recently exploiting vulnerabilities in Ivanti’s corporate VPN software. WithSecure said it could not yet attribute the activity to a particular threat group, though others have linked the past activity to a China-backed hacking group focused on espionage.
Security researchers at Sophos and Huntress both said last week that they had observed the LockBit ransomware gang launching attacks that exploit the ConnectWise vulnerabilities — just days after an international law enforcement operation claimed to disrupt the notorious Russia-linked cybercrime gang’s operations.
Huntress said in its analysis that it has since observed a “number of adversaries” leverage exploits to deploy ransomware, and a “significant number” of adversaries using exploits deploy cryptocurrency mining software, install additional “legitimate” remote access tools to maintain persistent access to a victim’s network, and create new users on compromised machines.
It’s not yet known how many ConnectWise ScreenConnect customers or end users are affected by these vulnerabilities, and ConnectWise spokespeople did not respond to TechCrunch’s questions. The company’s website claims that the organization provides its remote access technology to more than a million small- to medium-sized businesses that manage over 13 million devices.
On Sunday, ConnectWise called off a prearranged interview between TechCrunch and its CISO Patrick Beggs, scheduled for Monday. ConnectWise did not give a reason for the last-minute cancellation.
Are you affected by the ConnectWise vulnerability? You can contact Carly Page securely on Signal at +441536 853968 or by email at [email protected]. You can also contact TechCrunch via SecureDrop.