277 lines
32 KiB
JSON
277 lines
32 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2024-02-23",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - ConnectWise ScreenConnect attacks deliver malware",
|
||
|
"publish_timestamp": "1708700002",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1708699989",
|
||
|
"uuid": "f8912a82-2870-4de2-9663-5fdbee0ed401",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"local": false,
|
||
|
"name": "type:OSINT",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"local": false,
|
||
|
"name": "osint:lifetime=\"perpetual\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"local": false,
|
||
|
"name": "tlp:white",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"local": false,
|
||
|
"name": "tlp:clear",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:producer=\"Sophos\"",
|
||
|
"relationship_type": ""
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Report object to describe a report along with its metadata.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "report",
|
||
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1708696126",
|
||
|
"uuid": "de430685-633a-48a8-b7eb-55c7168f5bce",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1708696126",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "cd7cc81c-2a76-410d-ba7e-cc1b8fe2a068",
|
||
|
"value": "https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "summary",
|
||
|
"timestamp": "1708696126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "bb5a7f61-4c78-4f14-961b-29f2fa87ab0d",
|
||
|
"value": "ConnectWise ScreenConnect attacks deliver malware\r\nMultiple attacks exploit vulnerabilities in an IT remote access tool to deliver a variety of different payloads into business environments"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "title",
|
||
|
"timestamp": "1708696126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "56f9f969-bbff-493f-924a-9268ba0a828d",
|
||
|
"value": "https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1708696126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "2bfbc86e-b3bd-41fa-bbf2-f7f8519d4402",
|
||
|
"value": "Blog"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
|
||
|
"meta-category": "vulnerability",
|
||
|
"name": "vulnerability",
|
||
|
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1708696355",
|
||
|
"uuid": "85a30426-433a-4ec0-ac82-ac8a13b0b2ac",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "id",
|
||
|
"timestamp": "1708696355",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "4554b911-da2d-45c7-9e09-d3f0c5851802",
|
||
|
"value": "CVE-2024-1709"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "id",
|
||
|
"timestamp": "1708696355",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "916f9502-0c0c-43f9-b1e9-1e483784c441",
|
||
|
"value": "CVE-2024-1708"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "At least one threat actor is abusing ScreenConnect to deploy a ransomware executable. Sophos suspects it is the same person or group; an identical payload (SHA-256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a) was discovered in more than 30 different customer networks, beginning on February 22. This distribution pattern is strongly indicative of the threat actor pushing the payload from a compromised server.",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1708696459",
|
||
|
"uuid": "01d80244-d9bb-4eef-a64c-6067475a21da",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1708696459",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1df4d32e-5cea-4bee-84c4-8d5b25f43653",
|
||
|
"value": "2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1708696459",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "14ea9f28-7e0b-42f4-a677-f5fc8c80b228",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "We also saw a different attacker attempt to drop another payload (a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0) using the certutil utility to download it from a web address, write it to the root of the C:\\ drive with the filename svchost.exe, and execute it. In this case, the behavioral rule Lateral_1b blocked the file from being downloaded and the attack failed.",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1708696598",
|
||
|
"uuid": "1cd45224-4b4c-4889-829a-343692331a52",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1708696598",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "c8b7446f-d248-4304-94c1-4607a17a3c13",
|
||
|
"value": "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1708696599",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "33a3368d-c0d9-4a07-b2e1-12afefc1c296",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Telemetry indicates attackers are also pushing the Vidar/Redline data stealer malware (SHA-256 c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f) via ScreenConnect. The HMPA CookieGuard and TTP classifications (T1555.003) trigger on this type of attack. The attack looks like the ScreenConnect.WindowsClient.exe launches the malware from this location:",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1708696711",
|
||
|
"uuid": "5ce43c0d-825a-420f-9c87-8b053137f8e5",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1708696711",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "3f741526-c39a-4d48-88e5-91eceef5a9b5",
|
||
|
"value": "c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1708696711",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "fba2e988-2639-4700-b4c5-2a8cd3759d67",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"EventReport": [
|
||
|
{
|
||
|
"name": "Report from - https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/ (1708696253)",
|
||
|
"content": "# Situation overview\r\n\r\n On February 19, 2024, ConnectWise released a security advisory for its remote monitoring and management (RMM) software. Their advisory highlighted two vulnerabilities that impact older versions of ScreenConnect and have been **mitigated in version 23.9.8 and later.**\r\n\r\n ConnectWise states in the advisory these vulnerabilities are rated as **\u201cCritical\u2014Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems\u201d.** The two vulnerabilities are:\r\n\r\n \r\n * CVE-2024-1709 (CWE-288) \u2014 Authentication Bypass Using Alternate Path or Channel \r\n\t + Base CVSS score of 10, indicating \u201cCritical\u201d \r\n * CVE-2024-1708 (CWE-22) \u2014 Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) \r\n\t + Base CVSS score of 8.4, still considered \u201cHigh Priority\u201d \r\n \r\n The vulnerabilities can affect both the ScreenConnect server and ScreenConnect client software, in different ways. Attackers have found that they can deploy malware to servers or to workstations with the client software installed. Sophos has evidence that attacks against both servers and client machines are currently underway. Patching the server will not remove any malware or webshells attackers manage to deploy prior to patching and any compromised environments need to be investigated.\r\n\r\n Cloud-hosted implementations of ScreenConnect, including screenconnect.com and hostedrmm.com, have already received updates to address these vulnerabilities. Self-hosted (on-premise) instances remain at risk until they are manually upgraded, and it is our recommendation to patch to ScreenConnect version 23.9.8 immediately. The upgrade is available on ScreenConnect\u2019s download page.\r\n\r\n On February 21, 2024, proof of concept (PoC) code was released on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. ConnectWise has also updated their initial report to include observed, active exploitation in the wild of these vulnerabilities.\r\n\r\n On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool. It appears that our signature-based detection correctly identified the payloads as ransomware generated by the leaked LockBit builder, but the ransom notes dropped by those payloads identified one as \u201cbuhtiRansom,\u201d and the other did not have a name in its ransom note.\r\n\r\n This article includes additional details and analysis of the ScreenConnect attacks Sophos observed in the past 48 hours.\r\n\r\n # Recommendations\r\n\r\n \r\n * Confirm whether you have an on-premises deployment of ScreenConnect Server \r\n\t + If you have an on-premises instance in your environment running a version prior to 23.9.8, take it offline immediately until you upgrade to the newest version; isolate or shut it down until it is patched and investigated for signs of exploitation\r\n\t + If you have an on-premises version in your environment that was updated to version 23.9.8 or later prior to February 21, you are not at risk, though it would be prudent to inspect the server to ensure no malicious payloads were installed\r\n\t + If you use the cloud-hosted version, you are not at risk and no further actions are necessary \r\n * If your deployment of ScreenConnect Server is hosted by a third-party vendor, confirm with them they have upgraded their instance to 23.9.8 or later; if they have not, recommend that they take it offline until the patches are applied\r\n * Scan your environment and customer environments for instances of ScreenConnect that you may not be aware of, to avoid the risk of those ScreenConnect being unpatched and exposing the environment to a Supply Chain Attack\r\n * If you have ScreenConne
|
||
|
"id": "404",
|
||
|
"event_id": "208171",
|
||
|
"timestamp": "1708696281",
|
||
|
"uuid": "c077c950-3bc9-4a59-be82-a7388d56e53e",
|
||
|
"deleted": false
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|