Security researchers say a pair of easily exploitable flaws in a popular remote access tool used by more than a million companies worldwide are now being widely exploited, with hackers abusing the vulnerabilities to deploy ransomware and steal sensitive data.
Cybersecurity giant Mandiant she said in a post on Friday that it has “discovered mass exploitation” of the two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT and technicians to remotely provide technical support directly to customer systems over the Internet.
The two vulnerabilities include CVE-2024-1709, an authentication bypass vulnerability that researchers deemed “embarrassingly easy” for attackers to exploit, and CVE-2024-1708, a path traversal vulnerability that allows hackers to remotely code, such as malware. , on vulnerable ConnectWise client instances.
ConnectWise first disclosed the flaws on February 19 and urged on-premises customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundationand each of these servers can manage up to 150,000 client devices.
Mandiant said it had identified “various threat actors” exploiting the two flaws and warned that “many of them will deploy ransomware and perform multifaceted extortion,” but did not attribute the attacks to specific threat groups.
Finnish cybersecurity company WithSecure said a blog post On Monday its researchers also observed “massive exploitation” of ScreenConnect’s flaws by multiple threat actors. WithSecure said these hackers are exploiting the vulnerabilities to develop password stealers, backdoors and in some cases ransomware.
WithSecure also said it observed hackers exploiting the flaws to deploy a Windows variant of the KrustyLoader backdoor on unpatched ScreenConnect systems, the same kind of backdoor planted by hackers exploiting recent vulnerabilities in Ivanti’s enterprise VPN software. WithSecure said it could not yet attribute the activity to a specific threat group, although others have linked the past activity to a Chinese-backed hacking group focused on espionage.
Security researchers at Sophos and Huntress both said last week that they had spotted the LockBit ransomware gang launching attacks exploiting ConnectWise vulnerabilities – just days after an international law enforcement operation claimed to have disrupted the notorious gang’s operations cybercrime linked to Russia.
Hunter he said in his analysis that it has since observed a “number of adversaries” using exploits to deploy ransomware and a “significant number” of adversaries using exploits developing cryptocurrency mining software, has installed additional “legitimate” remote access tools to maintain stable access to the victim’s network, and creating new users on compromised machines.
It’s not yet known how many customers or end users of ConnectWise ScreenConnect are affected by these vulnerabilities, and ConnectWise representatives did not respond to TechCrunch’s questions. The company’s website claims that the organization provides remote access technology to more than one million small and medium-sized businesses that manage more than 13 million devices.
On Sunday, ConnectWise canceled a previously scheduled interview between TechCrunch and CISO Patrick Beggs that had been scheduled for Monday. ConnectWise did not give a reason for the last-minute cancellation.
Are you affected by the ConnectWise vulnerability? Carly Page can be reached securely on Signal at +441536 853968 or via email at carly.page@techcrunch.com. You can also contact TechCrunch via SecureDrop.
