CISA: Update ConnectWise ScreenConnect Servers Or Take Offline As Ransomware Is Deployed

‘It's odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it's watching the internet burn and trying to respond and remediate the best we can. We're watching the world burn,’ says John Hammond, principal security researcher at threat hunting firm Huntress.


The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice Thursday that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they cannot update to the latest version amid the ConnectWise ScreenConnect vulnerabilities that was reported early this week.

And exploits are already being seen in the wild.

“We're seeing such a variety of different attempts,” John Hammond, principal security researcher at threat hunting firm Huntress, told CRN. “So many different threat actors are just taking advantage of these golden hours of exploitation.”

In a 30-page report released Friday, Ellicott City, Maryland-based Huntress has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation. Exploits being deployed include ransomware, cryptocurrency coin miners, Cobalt Strike and additional remote access.

One company, UnitedHealth Group's Change Healthcare, was experiencing slowdowns at pharmacies due to a strain of LockBit malware related to ScreenConnect vulnerabilities, according to a report on SC Magazine.

In an 8-K filing with the U.S. Securities and Exchange Commission on Wednesday, United Healthcare Group, the parent company of Change HealthCare, “identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology system.

”During the disruption, certain networks and transactional services may not be accessible,” the filing stated.

[Related: Huntress On ‘Critical’ ConnectWise Vulnerabilities: ‘It Does Have A Certain Firestorm Potential’]

In a statement to CRN, ConnectWise said that “at this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability. Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs.”

ConnectWise said that it remains “committed to sharing information related to the ScreenConnect vulnerability and collaborating with the cybersecurity community and welcome additional information from the cybersecurity researchers following this situation.”

Vulnerabilities were reported on February 19 through Tampa, Fla.-based ConnectWise’s vulnerabilities disclosure channel via the ConnectWise Trust Center, according to the vendor security bulletin.

MSPs were notified of the vulnerabilities this past Monday and given instructions to update on-prem servers immediately. ConnectWise has patched all cloud environments.

In a notice to take on-prem servers offline, CISA wrote: “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable,” by February 29.

“This demonstrates the severity and the impact that we do really need to take this one seriously,” Hammond said. “They've updated it now to include that they are seeing it used to deploy ransomware.

“It’s very, very stern,” he added. “They’re saying, ‘Take care of this right now or pack it up and put it away.’ They’re trying to talk to the whole world or any business that uses this on-premise instance. It’s a slap in the face, the wake-up call, that says take action now or seriously just pull it off the shelf.”

On Thursday, CISA reported seeing active exploits related to the ScreenConnect vulnerability (tracked as CVE-2024-1709) and was added to CISA’s Known Exploited Vulnerabilities Catalog Thursday. ConnectWise rated the vulnerability as critical when it first reported it.

“We uplifted the [cloud] version,” Patrick Beggs, ConnectWise CISO, told CRN Friday. “Sometimes the version updates just weren't showing, it’s literally that simple. There were a few glitches and we had to kind of re-push and then it happened.”

But because every on-prem server hasn’t been updated, exploits have now been reported.

Beggs said he and his team are doing active incident response events for customers and getting through ticket queues to help as many partners as they can.

In a Thursday security alert, ConnectWise notified partners to “immediately update to 23.9.8 or higher to remediate reported vulnerabilities.”

“ConnectWise has rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later,” the alert read. “If your instance is found to be on an outdated version, an alert will be sent with instructions on how to perform the necessary actions to release the server.”

A ScreenConnect license revocation has also been implemented which has, “been a really great stopgap for now,” Beggs said.

And while some security experts are comparing the exploit to major attacks in the past, such as the Kaseya attack and SolarWinds, Beggs said he’s not seeing anything of that magnitude.

“This is a vulnerability exploitation, not a breach of ConnectWise infrastructure,” he said.

Hammond, however, believes the exploitation to be a large cyberattack.

“We were not going to release our proof of concept because that's just enabling threat actors,” Hammond said. “Then a proof of concept got out. It's odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it's watching the internet burn and trying to respond and remediate the best we can. We're watching the world burn.”