Researchers say easy-to-exploit security bugs in ConnectWise remote-access software now under mass attack

/in


Security researchers say a pair of easy-to-exploit flaws in a popular remote-access tool used by more than a million companies around the world are now being mass exploited, with hackers abusing the vulnerabilities to deploy ransomware and steal sensitive data.

Cybersecurity giant Mandiant said in a post on Friday that it has “identified mass exploitation” of the two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT and technicians to remotely provide technical support directly on customer systems over the internet.

The two vulnerabilities comprise CVE-2024-1709, an authentication bypass vulnerability that researchers deemed “embarrassingly easy” for attackers to exploit, and CVE-2024-1708, a path-traversal vulnerability that allows hackers to remotely plant malicious code, such as malware, on vulnerable ConnectWise customer instances.

ConnectWise first disclosed the flaws on February 19 and urged on-premise customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundation, and each of these servers can manage up to 150,000 customer devices.

Mandiant said it had identified “various threat actors” exploiting the two flaws and warned that “many of them will deploy ransomware and conduct multifaceted extortion,” but did not attribute the attacks to specific threat groups.

Finnish cybersecurity firm WithSecure said in a blog post Monday that its researchers have also observed “en-mass exploitation” of the ScreenConnect flaws from multiple threat actors. WithSecure said these hackers are exploiting the vulnerabilities to deploy password stealers, back doors, and in some cases ransomware.

WithSecure said it also observed hackers exploiting the flaws to deploy a Windows variant of the KrustyLoader back door on unpatched ScreenConnect systems, the same kind of back door planted by hackers recently exploiting vulnerabilities in Ivanti’s corporate VPN software. WithSecure said it could not yet attribute the activity to a particular threat group, though others have linked the past activity to a China-backed hacking group focused…

Source…