Vulnerability in ConnectWise ScreenConnect Sparks Interest Among Multiple Cybercriminals
In a significant cybersecurity development, multiple vulnerabilities in ConnectWise ScreenConnect have been identified as being exploited by malicious threat groups. These vulnerabilities were initially denied by ConnectWise to have a direct link with the observed threat activity, but later confirmed to be related.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-1709 to its Known Exploited Vulnerabilities catalog last week, shortly after ConnectWise notified the agency about the CVE. However, a less severe path-traversal vulnerability, listed as CVE-2024-1708, was not included in that listing.
Researchers at Trend Micro have identified that criminal threat groups, including Black Basta and Bloody Ransomware, are exploiting critical security flaws in ConnectWise ScreenConnect. Exploitation of these vulnerabilities began to ramp up starting Feb. 22, as threat groups and researchers likely began testing a proof of concept, according to Greg Young, VP of cybersecurity and corporate development at Trend Micro.
Hackers have been observed conducting reconnaissance, stealing data, and deploying ransomware in connection with the exploitation of ConnectWise ScreenConnect vulnerabilities. Trend Micro researchers are seeing approximately 2,300 vulnerable servers globally, with over 1,500 in the U.S.
ConnectWise originally released a patch for on-premises SecureConnect customers on Feb. 19, after an independent researcher notified the company about the vulnerability on Feb. 13. The company is providing patched versions to customers who may be using outdated versions of the application.
Sophisticated hackers frequently target out of service users who may be using outdated applications that are no longer provided technical support and security upgrades. The exploitation of ConnectWise SecureConnect vulnerabilities is one of the most serious campaigns to emerge in recent months, according to researchers. ConnectWise repeatedly urged on-premises customers to upgrade to version 23.9.8 of the software.
However, there are no recent reports or updates specifically indicating ongoing exploitation of the ConnectWise ScreenConnect vulnerability identified as CVE-2024-1709 by ransomware groups like Black Basta or Bloody Ransomware. The search results do not mention CVE-2024-1709 or ConnectWise ScreenConnect exploitation linked to these threat actors.
For the latest updates, continuous monitoring of specialized threat intelligence sources and official advisories is recommended, as exploit activity can emerge quickly once vulnerabilities become public or weaponized. Corporate stakeholders are interested in understanding the risk calculus of their technology stacks, with a particular focus on whether they are a potential target.
While the exploitation of CVE-2024-1709 by Black Basta, Bloody Ransomware, or related groups is not currently a known or publicly reported vector, it is crucial for organizations to stay vigilant and up-to-date with the latest security patches and updates.
- The threat activity observed with ConnectWise ScreenConnect vulnerabilities has been linked to ransomware groups like Black Basta and Bloody Ransomware.
- Trend Micro researchers have identified that these criminal groups have started exploiting critical security flaws in ConnectWise ScreenConnect, with approximately 2,300 vulnerable servers globally.
- Despite the exploitation of other vulnerabilities, the CISA's Known Exploited Vulnerabilities catalog only includes CVE-2024-1709, while a less severe path-traversal vulnerability, CVE-2024-1708, was not included.
- To mitigate risks, it's essential for organizations to stay vigilant and up-to-date with the latest security patches and updates, even if the exploitation of certain vulnerabilities like CVE-2024-1709 by specific ransomware groups is not currently known or publicly reported.
