Critical Vulnerabilities in ScreenConnect Remote Access Software Dubbed 'SlashAndGrab'

ConnectWise has issued an urgent security update for its ScreenConnect tool following the discovery of two critical vulnerabilities. The flaws, reported on February 13, 2024, through ConnectWise's vulnerability disclosure channel, pose significant risks, including the potential for authentication bypass and path traversal attacks. Identified as CVE-2024-1709/CWE-288 (Authentication bypass using an alternate path or channel) and CVE-2024-1708/CWE-22 (Improper limitation of a pathname to a restricted directory, or "path traversal"), these vulnerabilities carry a critical severity rating due to their ability to enable remote code execution or compromise sensitive data and critical systems. CISA added CVE-2024-1709 to its catalog of known exploited vulnerabilities on February 22, 2024.

ScreenConnect, a widely used remote desktop software solution among managed service providers, businesses, and help desk teams, is at risk. Versions up to 23.9.7 are affected. The urgency for patching is high, with ConnectWise advising on-premise partners to immediately upgrade to version 23.9.8 to mitigate the risks. This software is available both as a cloud-hosted service and a self-hosted server application, making it a versatile tool for remote assistance but also a target for tech support scammers and cybercriminal groups, including ransomware operators.

The severity of the vulnerabilities is echoed by cybersecurity leaders from Huntress, dubbing the vulnerability's exploitation as "SlashAndGrab." A post from Huntress researcher, John Hammond states “We independently verified the vulnerability and recreated a full exploit to compromise not just ScreenConnect server, but even move to the connected agents. This one is truly a critical, “severity 10” threat.”

Detection guidance is offered from Huntress identifying file writes and modifications to a ScreenConnect XML file with the Advanced Auditing policy configured. In addition, the presence of .aspx or .ashx files within the ScreenConnect directory - "C:\Program Files (x86)\ScreenConnect\App_Extensions" are encouraged to prompt immediate investigation. The vulnerability's exploitation, identified to have led to the deployment of LockBit ransomware, coinminers, SSH tunnels, and additional remote monitoring and management tools.  

Further investigation into the exploitation of the ScreenConnect vulnerabilities from Sophos's telemetry reveal that the flaws have been used initiate the deployment of AsyncRAT among other malicious payloads. Sophos reports a multi-stage attack commencing with the execution of a malicious .wsf script via the ScreenConnect Windows Client. This script commands wscript.exe to run a PowerShell script that employs bitsadmin to download additional payloads into the C:\users\public\ directory. Subsequent scripts are then triggered: app.js sets up persistent tasks through cmd.exe, and run.ps1 leverages process hollowing within aspnet_compiler.exe to inject AsyncRAT, illustrating a well-orchestrated sequence of attack steps leading to a system compromise.