SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Adversaries are leveraging a path traversal bug and auth bypass in ScreenConnect that allows them to create a privileged account for remote control. Quote: “Adversaries are leveraging a path traversal bug and auth bypass in ScreenConnect that allows them to create a privileged account for remote control.”
• [T1087] Account Discovery – Adversaries are attempting to discover privileged users by running a script across compromised systems. Quote: “Adversaries are attempting to discover privileged users by running a script across compromised systems.”
• [T1562.001] Disable or Modify Tools – Adversaries are attempting to evade detection by adding exclusion paths to Windows Defender using PowerShell. Quote: “Adversaries are attempting to evade detection by adding exclusion paths to Windows Defender using PowerShell.”
• [T1070.001] Clear Windows Event Logs – Ransomware actors attempt to remove event logs using wevtutil.exe cl. Quote: “Ransomware actors attempt to remove event logs using wevtutil.exe cl.”
• [T1059] Command and Scripting Interpreter – Adversaries are using PowerShell and CMD to download and execute scripts from remote locations. Quote: “Adversaries are using PowerShell and CMD to download and execute scripts from remote locations, facilitating various activities such as cryptocurrency mining and remote access.”
• [T1053] Scheduled Task – Adversaries are creating scheduled tasks for their cryptominers and remote access. Quote: “Adversaries are creating scheduled tasks for their cryptominers and remote access.”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Adversaries stored their MSI ransomware payload in the Public startup folder. Quote: “Adversaries stored their MSI ransomware payload in the Public startup folder.”
• [T1136] Create Account – Adversaries created new users and in some instances added them to privileged groups. Quote: “Adversaries created new users and in some instances added them to privileged groups.”
• [T1053] Scheduled Task – (Persistence) Adversaries are creating scheduled tasks for their cryptominers and remote access. Quote: “Adversaries are creating scheduled tasks for their cryptominers and remote access.”
• [T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription – Adversaries are modifying the registry to achieve persistence by adding WMI Event Consumers. Quote: “Adversaries are modifying the registry to achieve persistence by adding WMI Event Consumers.”
• [T1133] External Remote Services – Adversaries are compromising ScreenConnect instances, deploying SSH tunnels, Chrome remote desktops, and alternate RMMs for evasive, persistent remote access. Quote: “Adversaries are compromising ScreenConnect instances, deploying SSH tunnels, Chrome remote desktops, and alternate RMMs for evasive, persistent remote access.”
• [T1105] Ingress Tool Transfer – Adversaries are downloading files using curl, certutil, and Invoke-WebRequest. Quote: “Adversaries are downloading files using curl, certutil, and Invoke-WebRequest.”
• [T1572] Protocol Tunneling – Adversaries created SSH tunnels for communication. Quote: “Adversaries created SSH tunnels for communication.”
• [T1496] Resource Hijacking – Cryptocurrency miners are being deployed by adversaries. Quote: “Cryptocurrency miners are being deployed by adversaries.”
• [T1486] Data Encrypted for Impact – Adversaries deployed ransomware via compromised ScreenConnect. Quote: “Adversaries deployed ransomware via compromised ScreenConnect.”
• [T1107] Software S0154: Cobalt Strike – Adversaries are leveraging Cobalt Strike beacons to achieve C2 connections to compromised ScreenConnect machines. Quote: “Adversaries are leveraging Cobalt Strike beacons to achieve C2 connections to compromised ScreenConnect machines.”
• [T1071.001] Web Protocols – Adversaries use Cobalt Strike beacons to reach C2 over web protocols. Quote: “Adversaries are leveraging Cobalt Strike beacons to achieve C2 connections to compromised ScreenConnect machines.”