The ConnectWise cyberattack just got a whole lot worse

News
By
published

Days after releasing the patch, hackers started exploiting the flaws

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

The recent ConnectWise cyberattack may have taken an unwanted turn for the worse after multiple security companies confirmed hackers are exploiting recently discovered flaws en-masse.

Last week, ConnectWise confirmed finding and patching two critical security vulnerabilities in its ScreenConnect product.

"Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center," ConnectWise warned in a security advisory.

Major campaign

At the time the advisory was issued, the company had no evidence of exploitation in the wild, “but immediate action must be taken by on-premise partners to address these identified security risks," it warned.

The two flaws are now tracked as CVE-2024-1709 (authentication bypass flaw), and CVE-2024-1708 (path traversal vulnerability). The bugs could be used to drop malware on vulnerable ScreenConnect instances (versions 23.9.7 and older), and steal sensitive data - all without requiring user interaction.

ScreenConnect is a remote access platform, allegedly used by more than one million companies around the world.

A company spokesperson told TechCrunch the majority of its clients (80%) use cloud-based environments which were patched within two days.

Now, security researchers Mandiant, WithSecure, Sophos, and Huntress, all confirmed mass exploitation of the flaw. Even some high-profile names, such as the LockBit ransomware gang, were confirmed to have been using the flaw to deploy droppers. 

Mandiant recently published a blog post saying it “identified mass exploitation." A few days later WithSecure observed “en-mass exploitation” from multiple groups using the flaws to drop password stealers, backdoors, and even ransomware

Huntress said it observed “a number of adversaries”, including LockBit, which was recently a target of a major international law enforcement operation.

It is yet impossible to determine exactly how many firms were affected by the flaws, but TechCrunch reported that more than one million SMBs managing over 13 million devices are ConnectWise customers. 

More from TechRadar Pro

  • ConnectWise remote access tool hacked — security pros are saying it is bad, so patch now
  • Here's a list of the best firewalls around today
  • These are the best endpoint security tools right now
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.