Sophos X-Ops is currently tracking a wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations, and has provided advice and guidance for customers, researchers, investigators, and incident responders. The information is based on observations and analysis of attacks by SophosLabs, Sophos Managed Detection and Response (MDR), and Sophos Incident Response (IR) involving the ScreenConnect client or server. ConnectWise released a security advisory on February 19, 2024, highlighting two critical vulnerabilities impacting older versions of ScreenConnect. The vulnerabilities, CVE-2024-1709 and CVE-2024-1708, could allow remote code execution or impact confidential data and critical systems. ConnectWise recommends upgrading to version 23.9.8 or later to mitigate these vulnerabilities.
Sophos has observed active exploitation of these vulnerabilities against both ScreenConnect servers and client machines. Cloud-hosted implementations have already received updates, while on-premise instances remain at risk until they are manually upgraded. Sophos advises immediate patching to version 23.9.8 and recommends scanning for unpatched instances of ScreenConnect in both customer and internal environments to prevent supply chain attacks. The recent release of proof of concept code on GitHub and reports of active exploitation in the wild further underscore the urgency of patching vulnerable systems.
Sophos X-Ops reported attacks involving LockBit ransomware targeting ScreenConnect installations, with evidence of malicious activity increasing since the vulnerabilities were disclosed. Threat actors are leveraging these exploits to deploy various types of malware and launch attacks against target machines. Sophos has identified a ransomware executable built with the leaked LockBit 3 ransomware builder tool, labeled as “buhtiRansom,” being distributed across multiple customer networks. The ransomware did not identify itself as LockBit, indicating a copycat build using the leaked builder tool.
In response to the escalating threat landscape, Sophos recommends a series of protective measures, including isolating unpatched ScreenConnect servers, implementing Sophos Application Control Policy to block ScreenConnect, and conducting thorough reviews of ScreenConnect installations for signs of compromise. Additionally, deploying endpoint security, enabling new IDS signatures in XG Firewall, and utilizing penetration-testing tools like Metasploit Framework can enhance defense against potential exploits. Sophos continues to monitor telemetry systems for malicious activity involving ScreenConnect software and advises vigilance in detecting and mitigating threats in real-time.