• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

ConnectWise ScreenConnect Attack

Released: Feb 27, 2024

Updated: Mar 11, 2024

Download PDF »

ConnectWise ScreenConnect Attack

Critical Severity

ConnectWise Vendor

Vulnerability, Attack Type

Watch Video

An IT remote access tool actively targeted

Threat actors including ransomware gangs are seen exploiting newly discovered critical flaws in remote monitoring and management software called ScreenConnect. Learn More »

Common Vulnerabilities and Exposures

CVE-2024-1709
CVE-2024-1708

Background

One of the flaws, CVE-2024-1709 is an authentication bypass vulnerability using an alternate path or channel that could let attackers gain administrative access to a ScreenConnect instance. The second flaw tracked as CVE-2024-1708 is a path traversal vulnerability that may allow an attacker to execute remote code. According to Shadowserver, around 8200 vulnerable ConnectWise ScreenConnect instances were found on the internet and 643 IPs were observed attacking it. According to the company website, ConnectWise remote-access software is one of the leading providers used by Managed service providers (MSPs) to remotely connect to their customer's systems. This could pose a significant threat to end user's systems that could be targeted downstream and can allow hackers to plant malicious code remotely.

Threat Radar Overall Score:
CVSS Rating 10.0
FortiRecon Score 96/100
Known Exploited Yes
Exploit Prediction Score 94.46%
FortiGuard Telemetry 7187

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


February 19, 2024: ConnectWise published a security advisory and has released a patch covering both vulnerabilities.
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

February 21, 2024: Proof of Concept (PoC) code was released on GitHub.

February 22, 2024: CVE-2024-1709 was added to CISA's known exploited catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

February 22, 2024: FortiGuard Labs released a Threat Signal on ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
https://www.fortiguard.com/threat-signal-report/5389/


March 07, 2024: FortiGuard MDR and the FortiGuard IR team responded to several incidents related to exploitation of ConnectWise ScreenConnect and has released a detailed analysis. https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-post-exploitation/ta-p/303439

FortiGuard Labs recommends companies to apply the most recent upgrade or patch from the vendor as soon as possible.

Attack Sequence

Actions taken by cyber attacker or a malicious entity to compromise a target system or network.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • IPS

DETECT

  • Outbreak Detection

  • Threat Hunting

  • IOC

  • Playbook

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Vulnerability Management

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
172.104.124.74 ip Active
46.161.27.151 ip Active
185.56.83.82 ip Active
5.199.168.24 ip Active
185.174.137.26 ip Active
172.245.68.110 ip Active
172.245.68.110:8888 ip Active
91.92.247.58 ip Active
farstream.org domain Active
music.farstream.org domain Active
be-at-home.s3.ap-northeast-2.amazonaws.com domain Active
185.220.101.109 ip Active
104.28.222.75 ip Active
154.57.3.32 ip Active
dns.artstrailreviews.com domain Active
173.239.232.10 ip Active
118.69.65.60 ip Active
118.69.65.61 ip Active
155.133.5.14 ip Active
155.133.5.15 ip Active
11d2dde6c51e977ed6e3f3d3e256c78062ae41fe780aefe... file Active
scamkiller.duckdns.org domain Active
2da975fee507060baa1042fb45e8467579abf3f348f1fd3... file Active
54fe7f1c71139b3d6d41bcad47798a3f7eb8cd0e file Active
a50d9954c0a50e5804065a8165b18571048160200249766... file Active
c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9... file Active
http://ampdfiles.s3.amazonaws.com/xUh1knpb9crPo url Active
http://shapefiles.fews.net.s3.amazonaws.com/8ga... url Active
185.62.58.132 ip Active
65.109.172.49 ip Active
23.26.137.225:8084 ip Active
8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc... file Active
artstrailreviews.com domain Active
cc13b5721f2ee6081c1244dd367a9de958353c29e32ea8b... file Active
http://23.26.137.225:8084/msappdata.msi url Active
http://51.195.192.120:804/download/09D.log url Active
51.195.192.120 ip Active
51.195.192.120:804 ip Active
173.239.232.30 ip Active
195.26.87.209 ip Active
91.92.254.193 ip Active
docusong.com domain Active
resources.docusong.com domain Active
103.166.86.29 ip Active
103.170.154.83 ip Active
116.0.56.101 ip Active
123.252.45.246 ip Active
126.108.60.57 ip Active
135.181.175.26 ip Active
139.227.34.124 ip Active
149.28.197.45 ip Active
169.150.202.67 ip Active
172.56.201.183 ip Active
172.58.109.243 ip Active
173.239.232.3 ip Active
173.239.232.33 ip Active
176.130.45.168 ip Active
176.160.145.191 ip Active
185.231.205.31 ip Active
191.101.217.122 ip Active
191.96.36.99 ip Active
193.252.215.164 ip Active
194.116.217.176 ip Active
194.156.98.18 ip Active
20.210.105.88 ip Active
206.189.150.171 ip Active
207.180.217.230 ip Active
209.127.228.186 ip Active
213.230.93.76 ip Active
223.26.103.16 ip Active
24.251.120.147 ip Active
36.19.230.138 ip Active
38.180.54.210 ip Active
38.207.173.102 ip Active
46.232.121.61 ip Active
46.249.38.211 ip Active
47.243.72.174 ip Active
64.31.63.240 ip Active
79.137.204.241 ip Active
85.192.41.211 ip Active
88.209.197.8 ip Active
91.92.248.164 ip Active
91.92.254.160 ip Active
94.131.101.37 ip Active
fisa99.screenconnect.com domain Active
wipresolutions.com domain Active
198.244.169.213 ip Active
https://paste.ee/r/mzeOz url Active
https://paste.ee/r/pxLkv url Active
https://transfer.sh/get/HcrhQuN0YC url Active
input-beats.gl.at.ply.gg domain Active
instance-tj4lui-relay.screenconnect.com domain Active
101.99.91.107 ip Active
142.132.224.223 ip Active
151.236.29.28 ip Active
154.47.25.146 ip Active
154.47.25.146:8040 ip Active
159.203.191.1 ip Active
159.69.103.8 ip Active
164.92.251.25 ip Active