ConnectWise ScreenConnect Vulnerabilities: 5 Things To Know

‘It's important that folks keep up with good cyber hygiene,’ says Patrick Beggs, CISO for ConnectWise. ‘With any vulnerability that can be exploited, if you're not patched it can be a threat. As a software company we want to maintain your hygiene [and have a] security first mentality.’

On Feb. 13, ConnectWise reported vulnerabilities found in its ScreenConnect tool that impacted both cloud and on-prem instances.

The Tampa, Fla.-based vendor notified partners via the ConnectWise Trust Center, according to the vendor’s security bulletin.

MSPs were notified of the vulnerabilities last Monday, Feb. 19, and given instructions to update on-prem servers immediately. ConnectWise has patched all cloud evulnvironments.

“It's important that folks keep up with good cyber hygiene,” Patrick Beggs, CISO for ConnectWise, told CRN. “With any vulnerability that can be exploited, if you're not patched, it can be a threat. As a software company we want to maintain your hygiene [and have a] security first mentality.”

ConnectWise mitigated about 80 percent of the ScreenConnect population last week, according to Ciaran Chu, general manager of ConnectWise ScreenConnect. The vendor also backdated upgrade patches for the last 20 releases.

“Our crucial communication is for the on-prem partner base because obviously they're the guys that are updating their versions and patching themselves, whereas in the cloud we obviously do it for them,” Chu told CRN. “We've mitigated the majority of our customer base at this point but we're not going to rest until all of our customers are mitigated.”

He said ConnectWise has been running reports every hour to see how many on-prem partners are upgrading and then continuously reaching out to those who have yet to do so.

Check out five things to know about the ConnectWise ScreenConnect vulnerabilities.

'Mass Exploitation’

On Friday, cybersecurity vendor Mandiant identified "mass exploitation" of the vulnerabilities by various threat actors.

“Many of them will deploy ransomware and conduct multifaceted exortion,” a post on Mandiant’s website states.

Also on Friday, threat hunting firm Huntress said it had detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation. Exploits being deployed include ransomware, cryptocurrency coin miners, Cobalt Strike and additional remote access.

“We're seeing such a variety of different attempts,” John Hammond, principal security researcher at Ellicott City, Maryland-based Huntress, told CRN. “So many different threat actors are just taking advantage of these golden hours of exploitation.

“It's odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it's watching the internet burn and trying to respond and remediate the best we can,” he added, “We're watching the world burn.”

One company, UnitedHealth Group's Change Healthcare, was experiencing slowdowns at pharmacies due to a strain of LockBit malware related to ScreenConnect vulnerabilities, according to a report on SC Magazine.

In an 8-K filing with the U.S. Securities and Exchange Commission on Wednesday, United Healthcare Group, the parent company of Change HealthCare, “identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology system.

“During the disruption, certain networks and transactional services may not be accessible,” the filing stated.

However, in a statement to CRN on Saturday, ConnectWise said that “at this time, we cannot confirm that there is a connection between the Change Healthcare incident and the ScreenConnect vulnerability. Our initial review indicates that Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs.”

ConnectWise said that it remains “committed to sharing information related to the ScreenConnect vulnerability and collaborating with the cybersecurity community and welcome additional information from the cybersecurity researchers following this situation.”

CISA Adds Vulnerabilities To Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has seen active exploits and the vulnerabilities (tracked as CVE-2024-1709) were added to CISA’s Known Exploited Vulnerabilities Catalog Thursday. ConnectWise has rated the vulnerabilities as critical when it first reported it.

In a security bulletin updated on Wednesday, ConnectWise said, “Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”).”

“ScreenConnect version 23.9.10.8817 was released containing a number of fixes to improve customer experience,” the security update read. “It is always recommended to be on the latest version but 23.9.8 is the minimum version that remediated the reported vulnerabilities. As part of this release, ConnectWise has removed license restrictions, so partners no longer under maintenance can upgrade to the latest version of ScreenConnect.”

CISA Gives ConnectWise Partners Four Days To Update

CISA issued a notice last Thursday that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they cannot update to the latest version amid the exploit.

In a notice to take on-prem servers offline, CISA wrote: “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable,” by February 29.

“This demonstrates the severity and the impact that we do really need to take this one seriously,” said John Hammond, principal security researcher at threat hunting firm Huntress. “They've updated it now to include that they are seeing it used to deploy ransomware.

“It’s very, very stern,” he added. “They’re saying, ‘Take care of this right now or pack it up and put it away.’ They’re trying to talk to the whole world or any business that uses this on-premise instance. It’s a slap in the face, the wake-up call, that says take action now or seriously just pull it off the shelf.”

ConnectWise Gives Update

On Friday, ConnectWise posted on its security bulletin that it “has taken an exception step to support partners no longer under maintenance by making them eligible to install version 22.4 at no additional cost, which will fix CVE-2024-1709, the critical vulnerability. However, this should be treated as an interim step. ConnectWise recommends on-premise partners upgrade to remain within maintenance to gain access to all security and product enhancements.”

One day before, ConnectWise security teams recommended on-premise partners immediately update to 23.9.8 or higher to remediate reported vulnerabilities.

“ConnectWise has rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later,” the security bulletin read. “If your instance is found to be on an outdated version, an alert will be sent with instructions on how to perform the necessary actions to release the server.”

Beggs said last week that he and his team were doing active incident response events for customers and getting through ticket queues to help as many partners as they can.

And while some security experts are comparing the exploit to major attacks in the past, such as the Kaseya attack and SolarWinds, Beggs said he’s not seeing anything of that magnitude.

“This is a vulnerability exploitation, not a breach of ConnectWise infrastructure,” he said.