1 min read

ConnectWise Vulnerability Update

ConnectWise Vulnerability Update

Vulnerable organizations should follow the recommended actions from ConnectWise, plus several other key precautions

On February 19, 2024, ConnectWise released a security bulletin reporting two vulnerabilities: CVE-2024-1709 and CVE-2024-1708. Both vulnerabilities affect the ScreenConnect On-Premise Product. Cloud-based ScreenConnect products were updated automatically by ConnectWise. When exploited, they allow an attacker to bypass authentication or traverse remote directories potentially accessing files. These vulnerabilities affect ScreenConnect versions 23.9.7 and prior. The Cybersecurity Infrastructure & Security Agency (CISA) added CVE-2024-1709 to the Known Exploited Vulnerabilities Catalog indicating this vulnerability is being exploited by adversaries. 

ConnectWise recommends the following actions to mitigate the vulnerabilities:

  1. Immediately upgrade ScreenConnect to 23.9.8 or newer. 
  2. For cloud-based version, verify ScreenConnect agents were upgraded automatically. 

In addition to performing the recommended actions from ConnectWise, potentially impacted organizations should take the following precautions as part of their incident response process: 

Note: The following response steps should be performed before upgrading the vulnerable products to avoid overwriting pertinent artifacts. Once the artifacts are preserved, continue with upgrading the vulnerable products. 

  1. Review ScreenConnect logs (on-prem, cloud), Firewall logs (on-prem deployments), and IIS logs for indicators of compromise (IoC). 
  2. Review the User.xml file to identify anomalous activity. According to Team Huntress, the User.xml file is overwritten whenever any user performs an action. Reliance on this file alone is not enough. Previous files could possibly be recovered through digital forensics. 
  3. Review Windows Event logs for Event ID 4663. This requires Advanced Auditing to have been enabled prior to the exploit. 

IoCs reported by ConnectWise: 

  • 155.133.5[.]15 
  • 155.133.5[.]14 
  • 118.69.65[.]60 

Additional steps for mitigation if abnormal access is identified:

  • Isolate the ScreenConnect system from the internet and preserve it in place (do not power off).
  • Contact your Digital Forensics and Incident Response provider for additional assistance. 

Additional Resources


Check out IronGate’s Digital Forensics and Incident Response capabilities:

Ramey

 

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.

 


Citrix Zero-Day Vulnerability Update

2 min read

Citrix Zero-Day Vulnerability Update

Take these important actions now to mitigate vulnerabilities in NetScaler ADC and NetScaler Gateway products

Read More
How to Embed Defense in Your Cloud and DevOps Management

1 min read

How to Embed Defense in Your Cloud and DevOps Management

October 24, 2023 IronGate CEO Steve Ramey a Featured Speaker at The QA Financial E-commerce Forum in New York

Read More
Evolution in Crisis Communications & Public Relations

1 min read

Evolution in Crisis Communications & Public Relations

January 23, 2024 IronGate CEO Steve Ramey is a featured panelist at NetDiligence® CyberRisk Summit in Miami

Read More