Skip to main content
close search
site logo
Dive Brief

ConnectWise ScreenConnect critical CVE lures an array of threat actors

The company is urging all on-premises customers to upgrade to a secure version of the application as different threat groups ramp up exploits.

Published Feb. 29, 2024
David Jones's headshot
Reporter
Threat actor views data file
iStock / Getty Images Plus via Getty Images

Dive Brief:

  • Criminal threat groups, including Black Basta and Bloody Ransomware, are ramping up exploitation of critical security flaws in ConnectWise ScreenConnect, researchers at Trend Micro said Tuesday. 
  • The vulnerabilities include an authentication bypass vulnerability, listed as CVE-2024-1709 with a CVSS score of 10, which researchers describe as “trivial” to exploit. Hackers have been observed conducting reconnaissance, stealing data and deploying ransomware. Black Basta affiliates were observed deploying Cobalt Strike beacons. 
  • A variety of threat groups were deploying LockBit ransomware, too, Sophos researchers said last week.

Dive Insight:

The exploitation of ConnectWise SecureConnect vulnerabilities is one of the most serious campaigns to emerge in recent months, researchers warn. 

“We’re seeing threat activity continuing for this vulnerability at a steady pace,” Greg Young, VP, cybersecurity and corporate development at Trend Micro.

Exploitation began to ramp up starting Feb. 22, as threat groups and researchers likely began testing a proof of concept, Young said.

Trend Micro researchers are seeing about 2,300 vulnerable servers globally, with more than 1,500 in the U.S.

ConnectWise originally released a patch Feb. 19 for on-premises SecureConnect customers after an independent researcher notified the company about the vulnerability on Feb. 13. 

The Cybersecurity and Infrastructure Security Agency on Feb. 22, added CVE-2024-1709, to its Known Exploited Vulnerabilities catalog last week, shortly after ConnectWise notified the agency about the CVE. A less severe path-traversal vulnerability, listed as CVE-2024-1708, was not included in that listing.

ConnectWise repeatedly urged on-premises customers to upgrade to version 23.9.8 of the software. 

The company on Friday initially denied any direct link between the vulnerabilities and malicious threat activity, however ConnectWise later confirmed that observed threat activity was related to the security flaws.

ConnectWise is providing patched versions to customers who may be using out of date versions of the application. 

Sophisticated hackers have frequently targeted out of service users who may be using outdated applications that are no longer provided technical support and security upgrades.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell