Threat Research

Connecting the Dots: Detecting the Exploitation of ConnectWise ScreenConnect Vulnerabilities

DarkTrace

Darktrace documented exploitation of ConnectWise ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709 across multiple customer networks in early 2024, highlighting post-exploitation activity and detections around ScreenConnect usage and external connections. The post also describes how Darktrace DETECT and RESPOND helped identify, contain, and quarantine the activity, including autonomous response and pattern-of-life enforcement. hashtag: #ScreenConnect #CVE-2024-1708 #CVE-2024-1709 #Darktrace #LabTechAgent #AnyDesk #Pakistan

Keypoints

  • Two publicly disclosed vulnerabilities in ScreenConnect (CVE-2024-1708 and CVE-2024-1709) enable authentication bypass and potential remote access to confidential information or critical systems.
  • Darktrace observed exploitation activity across multiple customer environments between January and March 2024, with indicators of compromise (IoCs) aligning to ScreenConnect usage patterns.
  • Attackers could create new administrative accounts on exposed instances, enabling privilege escalation, backdoors, and disruption of RMM processes, potentially leading to ransomware deployment.
  • Detected activity included connections to screenconnect[.]com, usage of the LabTech Agent user agent, and external connections to IPs such as 108.61.210.72 and 185.62.58.132, among others.
  • In at least one case, threat actors downloaded an AnyDesk installer from 116.0.56.101, illustrating post-exploitation lateral movement and tool delivery.
  • Darktrace’s autonomous RESPOND mode blocked suspicious endpoints, quarantined devices, and enforced a pattern-of-life to limit outbound and lateral movement.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – INITIAL ACCESS – Exploitation of Public-Facing Application – INITIAL ACCESS – T1190 – NA – β€˜Exploit Public-Facing Application – INITIAL ACCESS – T1190’
  • [T1189] Drive-by Compromise – INITIAL ACCESS – Drive-by Compromise – INITIAL ACCESS – T1189 – NA – β€˜Drive-by Compromise – INITIAL ACCESS – T1189 – NA’
  • [T1210] Exploitation of Remote Services – LATERAL MOVEMENT – Exploitation of Remote Services – LATERAL MOVEMENT – T1210 – NA – β€˜Exploitation of Remote Services – LATERAL MOVEMENT – T1210 – NA’
  • [T1105] Ingress Tool Transfer – COMMAND AND CONTROL – Ingress Tool Transfer – COMMAND AND CONTROL – T1105 – NA – β€˜Ingress Tool Transfer – COMMAND AND CONTROL – T1105 – NA’
  • [T1588.001] Resource Development – MALWARE – RESOURCE DEVELOPMENT – T1588.001 – T1588 – β€˜Malware – RESOURCE DEVELOPMENT – T1588.001- T1588’
  • [T1059.001] PowerShell – EXECUTION – PowerShell – EXECUTION – T1059.001 – T1059 – β€˜PowerShell – EXECUTION – T1059.001 – T1059’
  • [T1550.002] Pass the Hash – DEFENSE EVASION, LATERAL MOVEMENT – Pass the Hash – DEFENSE EVASION, LATERAL MOVEMENT – T1550.002 – T1550 – β€˜Pass the Hash – DEFENSE EVASION, LATERAL MOVEMENT – T1550.002 – T1550’
  • [T1078] Valid Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – Valid Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078 – NA – β€˜Valid Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078 – NA’
  • [T1185] Man-in-the-Browser – COLLECTION – Man in the Browser – COLLECTION – T1185 – NA – β€˜Man in the Browser – COLLECTION – T1185 – NA’
  • [T1041] Exfiltration Over C2 Channel – EXFILTRATION – Exfiltration Over C2 Channel – EXFILTRATION – T1041 – NA – β€˜Exfiltration Over C2 Channel – EXFILTRATION – T1041’
  • [T1590.005] IP Addresses in Reconnaissance – RECONNAISSANCE – IP Addresses – RECONNAISSANCE – T1590.005 – T1590 – β€˜IP Addresses – RECONNAISSANCE – T1590.005 – T1590’
  • [T1219] Remote Access Software – COMMAND AND CONTROL – Remote Access Software – COMMAND AND CONTROL – T1219 – NA – β€˜Remote Access Software – COMMAND AND CONTROL – T1219 – NA’
  • [T1570] Lateral Tool Transfer – LATERAL MOVEMENT – Lateral Tool Transfer – LATERAL MOVEMENT – T1570 – NA – β€˜Lateral Tool Transfer – LATERAL MOVEMENT – T1570’
  • [T1071] Application Layer Protocol – COMMAND AND CONTROL – Application Layer Protocol – COMMAND AND CONTROL – T1071 – NA – β€˜Application Layer Protocol – COMMAND AND CONTROL – T1071 – NA’

Indicators of Compromise

  • [IOC Type] IP Addresses – example1: 108.61.210.72, example2: 185.62.58.132, and other 1 items (if applicable)
  • [IOC Type] Domain – screenconnect.com (screenconnect[.]com in content)
  • [IOC Type] URI – /MyUserName_DEVICEHOSTNAME, /images/Distribution.exe
  • [IOC Type] User Agent – LabTech Agent
  • [IOC Type] File Hash – 24780657328783ef50ae0964b23288e68841a421 (SHA1), a21768190f3b9feae33aaef660cb7a83 (MD5)

Read more: https://darktrace.com/blog/connecting-the-dots-darktraces-detection-of-the-exploitation-of-the-connectwise-screenconnect-vulnerabilities

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint