Anatomy Of A Vulnerability: ScreenConnect From Publication To Exploitation

In a security bulletin on February 19, ConnectWise announced critical vulnerabilities (CVE-2024-1708 & CVE-2024-1709) to its on-premises ScreenConnect product (identified and responsibly reported by one of Kroll’s SOC analysts), allowing attackers to takeover an organization’s ScreenConnect.

The vulnerability, trivial to exploit, allows anonymous individuals to a create system admin account on publicly exposed instances of the product. Following the publication, many security researchers predicted mass exploitation of the vulnerability and in less than 48 hours from the initial announcement, many proof-of-concept exploits were readily available.

In the immediate aftermath, Kroll observed many incident response engagements connected to the vulnerabilities. Most of the cases occurred with an initial access date on or +2 days from February 21, when the first proof-of-concept exploits were published.

These cases impacted multiple sectors including education, health care and retail and were orchestrated by threat actor types ranging from well-known ransomware-as-a-service (RaaS) operations to nation-state actors and lone wolf actors.

RaaS Operations

Kroll observed affiliates associated with multiple RaaS operations, such as MEDUSA and PLAY, leverage the vulnerability for access. 
While most instances involved direct access to a victim’s ScreenConnect instance, at least one victim was infected with ransomware via their third-party managed service provider’s instance. In this case, Kroll observed PLAY ransomware deployment on February 24, 2024, three days after initial access and five days after initial publication of the vulnerability.

Once inside the networks, techniques were similar across ransomware cases. Most actors used their access to ScreenConnect to conduct internal reconnaissance on the organization, gathering information on the host names, domain computers and user accounts and viewing folder directories and files.

Another similarity across RaaS cases was the use of pre-cursor malware or remote access trojans (RAT) that were detonated prior to the actual ransomware deployment. An actor who ultimately deployed MEDUSA ransomware deployed the RAT JWRAPPER and later used BURNTCIGAR malware, which is known to target SentinelOne to help actors evade detection on a system. Another actor who deployed the PLAY ransomware payload first executed a SABKIS trojan on the system.

In the incident where an actor deployed MEDUSA ransomware, once access was made via ScreenConnect, the actor was observed using the ScreenConnect tool to conduct internal reconnaissance such as hunting for domain computers, trusted domains and a list of domain controllers.  The actor used this information to move laterally into multiple hosts during their period of access. Nearly eight days after initial access, the actor began exfiltrating data from the system using RClone.  The specific RClone command filtered through folder and path directories, using the following command which filters on file extension and age of the file. This command has been observed in other Kroll engagements and is likely indicative of threat actors trying to maximize the value of data collected during exfiltration.

FS --ignore-case --ignore-existing --auto-confirm --multi-thread-streams 10 --transfers 10 --checkers 10 --tpslimit 10 --include *.docx --include *.docm --include *.pdf --include *.pptx --include *.xls --include *.xlsx --include *.ppt --include *.txt --include *.TXT --include *.pptx --include *.doc --include *.csv --include *.jpeg --include *.jpg --include *.msg --max-size 1000M --max-age 1200d

In this case, Kroll observed the actor using different defense evasion techniques such as changing system time and using BURNTCIGAR, an antivirus killing tool to target Sentinel One binaries. Shortly after the introduction of BURNTCIGAR, MEDUSA ransomware was deployed via Windows service PDQDeployRunner.

Nation-State Activity

On February 21, immediately following the vulnerability publication, Kroll observed an attempted compromise that was detected and stopped by the Kroll Responder team. In this case, the actor gained access to the victim’s workstation via the exposed setup wizard of the ScreenConnect application. From there, they leveraged their access to try to use cmd.exe to execute mshta.exe with a URL to the Visual Based (VB) based  malware.

Code review of the payload downloaded by the MSHTA utility identified similarities and overlap with BABYSHARK malware. Kroll named the malware TODDLERSHARK and assessed that it is likely related to known APT group Kimsuky (KTA082). 

Lone Wolf Actors

Kroll also observed actors leveraging the vulnerability to deploy what appeared to be a leaked version of Lockbit 3.0. In these instances, the actors showed low sophistication, asked for ransom amounts of $2,000 or less and did not exfiltrate data. It is likely that these attackers were lone wolf actors who were weaponizing the version of Lockbit leaked on Twitter in September 2022. Kroll observed several attacks likely connected with lone wolf actors in the immediate period following vulnerability publication and continued to track lone wolf actors leveraging the vulnerability into mid-March. After the mid-March time frame (roughly three weeks from initial publication), Kroll saw a decrease in activity related to this vulnerability, likely due to robust patching.

Conclusion

A review of the activity around ScreenConnect confirms that threat actors of all types are largely opportunistic when it comes to initial access and will attempt to leverage vulnerabilities with the best chances of getting into a victims’ network. It also helps inform defenders of how to prioritize patch management. Not every critical vulnerability becomes a flashpoint for threat actor exploitation, as many are hard to exploit.

The ScreenConnect vulnerabilities instantly became a popular nexus likely due to the following:

• Attacker did not have to be authenticated
• Trivial to exploit
• Widely available proof-of-concept exploits
• A legitimate tool that is already popular with threat actors

Criteria such as the above, are critical to determine patch prioritization. Working with a trusted threat intelligence provider which can guide you on such decision-making is crucial to resilience.

Read more on how Kroll’s frontline threat intelligence can improve defenses against the most pervasive cyber threats.