Article
How Businesses Can Address the ScreenConnect Vulnerability
Cybersecurity experts call the flaw “embarrassingly easy” for attackers to use
ConnectWise announced on February 19 that its ScreenConnect (formerly ConnectWise Control) software — a widely used tool for remote desktop management — contained two critical vulnerabilities. The company has since released patches to fix the issues and urged its customers to update as soon as possible. That request was followed by cybersecurity experts telling various news organizations that it would be nearly effortless for threat actors to launch attacks via these vulnerabilities.
At-Bay’s Cyber Research team has already observed multiple threat actors taking advantage of this vulnerability to launch attacks. This article explains how threat actors have moved quickly to launch attacks and offers some tips businesses can follow to avoid falling victim to this latest threat.
Understanding the Core Issues in ScreenConnect
ScreenConnect is a lifeline for IT support, enabling technicians to control computers remotely as if they were physically present. However, the severe security flaws within the platform identified in these two alerts effectively leave a door open, providing attackers with unfettered access.
The primary concerns are:
- Authentication Bypass: This vulnerability allows attackers to generate their own administrative user on the platform, granting them complete control over the platform. (CVE-2024-1709)
- Path Traversal: This secondary vulnerability provides attackers with a method to access unauthorized files, further compromising the integrity of the system. (CVE-2024-1708)
The Threat Is Real
Although ConnectWise has issued updates to address these vulnerabilities, the potentially large number of businesses that are unaware of the risk or have yet to implement the patches is a concern to security experts. Active exploitation of these vulnerabilities is already happening. Threat intelligence company Huntress Labs released a blog entry describing efforts to exploit the vulnerability as “embarrassingly easy.”
The U.S. Cybersecurity and Infrastructure Agency (CISA) added one of the ConnectWise vulnerabilities to its Known Exploited Vulnerabilities (KEV) list.
Recommended Actions
Businesses using ScreenConnect, particularly those with self-managed servers, should take immediate action:
- Promptly Update: Upgrade to version 23.9.8 or later to mitigate these vulnerabilities.
- Investigate for Unknown Behavior: Meticulously inspect your system or reach out to your security services teams for any signs of unauthorized access, such as unfamiliar user accounts.
We’ve Got Your Back
This incident highlights how a singular vulnerability can pose a systemic risk across businesses of all sizes. We hope to keep businesses in line with best security practices: Always be alert, keep up with possible dangers, and make sure to update all systems on time.
If you are an At-Bay broker or policyholder with questions or concerns regarding ConnectWise, please contact security@at-bay.com.
