Security News > 2024 > February > ScreenConnect flaws exploited to deliver all kinds of malware (CVE-2024-1709, CVE-2024-1708)
The recently patched vulnerabilities in ConnectWise ScreenConnect software are being exploited by numerous attackers to deliver a variety of malicious payloads.
After PoC exploits for CVE-2024-1709 have been made public, various attackers began targeting vulnerable public-facing ScreenConnect servers, hoping to use them as a way into enterprise networks.
Sophos' X-Ops task force says that they spotted attackers deliver two different ransomware variants, as well as infostealers, RATs, worms, Cobalt Strike payloads, and additional remote access clients.
Huntress researchers have also spotted some of these attacks, but also attacks involved cryptocurrency miners and setting up SSH backdoors and persistent reverse shells.
If you've failed to upgrade your self-hosted ScreenConnect instance in time, you are now faced the time-consuming process of searching for evidence of compromise, piecing together just how deep the attackers have managed to burrow into your enterprise network, and cleaning all affected systems to boot them out.
"Sophos has evidence that attacks against both servers and client machines are currently underway. Patching the server will not remove any malware or webshells attackers manage to deploy prior to patching and any compromised environments need to be investigated."
News URL
https://www.helpnetsecurity.com/2024/02/26/cve-2024-1709-exploited/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-21 | CVE-2024-1709 | Unspecified vulnerability in Connectwise Screenconnect 23.8.4/23.8.5 ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | 10.0 |