Vulnerable organizations should follow the recommended actions from ConnectWise, plus several other key precautions

On February 19, 2024, ConnectWise released a security bulletin reporting two vulnerabilities: CVE-2024-1709 and CVE-2024-1708. Both vulnerabilities affect the ScreenConnect On-Premise Product. Cloud-based ScreenConnect products were updated automatically by ConnectWise. When exploited, they allow an attacker to bypass authentication or traverse remote directories potentially accessing files. These vulnerabilities affect ScreenConnect versions 23.9.7 and prior. The Cybersecurity Infrastructure & Security Agency (CISA) added CVE-2024-1709 to the Known Exploited Vulnerabilities Catalog indicating this vulnerability is being exploited by adversaries. 

ConnectWise recommends the following actions to mitigate the vulnerabilities:

1. Immediately upgrade ScreenConnect to 23.9.8 or newer. 
2. For cloud-based version, verify ScreenConnect agents were upgraded automatically. 

In addition to performing the recommended actions from ConnectWise, potentially impacted organizations should take the following precautions as part of their incident response process: 

Note: The following response steps should be performed before upgrading the vulnerable products to avoid overwriting pertinent artifacts. Once the artifacts are preserved, continue with upgrading the vulnerable products. 

1. Review ScreenConnect logs (on-prem, cloud), Firewall logs (on-prem deployments), and IIS logs for indicators of compromise (IoC). 
2. Review the User.xml file to identify anomalous activity. According to Team Huntress, the User.xml file is overwritten whenever any user performs an action. Reliance on this file alone is not enough. Previous files could possibly be recovered through digital forensics. 
3. Review Windows Event logs for Event ID 4663. This requires Advanced Auditing to have been enabled prior to the exploit. 

IoCs reported by ConnectWise: 

• 155.133.5[.]15 
• 155.133.5[.]14 
• 118.69.65[.]60 

Additional steps for mitigation if abnormal access is identified:

• Isolate the ScreenConnect system from the internet and preserve it in place (do not power off).
• Contact your Digital Forensics and Incident Response provider for additional assistance. 

Additional Resources

• NIST CVE-2024-1708 
• NIST CVE-2024-1709 
• Huntress Understanding the ScreenConnect Authentication Bypass 

Check out IronGate’s Digital Forensics and Incident Response capabilities: