\n<\/p>\n
Security researchers say a pair of easy-to-exploit flaws in a popular remote access tool used by more than a million companies around the world are now being mass-exploited, with hackers abusing the vulnerabilities to deploy ransomware and steal sensitive data.<\/p>\n
Cybersecurity giant Mandiant said in a post on Friday<\/a> that it has \u201cidentified mass exploitation\u201d of the two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT and technicians to remotely provide technical support directly on customer systems over the internet.<\/p>\n The two vulnerabilities comprise CVE-2024-1709, an authentication bypass vulnerability that researchers deemed \u201cembarrassingly easy\u201d for attackers to exploit<\/a>, and CVE-2024-1708, a path traversal vulnerability that allows hackers to remotely plant malicious code, such as malware, on vulnerable ConnectWise customer instances.<\/p>\n ConnectWise first disclosed the flaws on February 19 and urged on-premise customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundation<\/a>, and each of these servers can manage up to 150,000 customer devices.<\/p>\n Mandiant said it had identified \u201cvarious threat actors\u201d exploiting the two flaws and warned that \u201cmany of them will deploy ransomware and conduct multifaceted extortion,\u201d but did not attribute the attacks to specific threat groups.<\/p>\n Finnish cybersecurity firm WithSecure said in a blog post<\/a> Monday that its researchers have also observed \u201cen-mass exploitation\u201d of the ScreenConnect flaws from multiple threat actors. WithSecure said these hackers are exploiting the vulnerabilities to deploy password stealers, backdoors, and in some cases ransomware.<\/p>\n WithSecure said it also observed hackers exploiting the flaws to deploy a Windows variant of the KrustyLoader backdoor on unpatched ScreenConnect systems, the same kind of backdoor planted by hackers recently exploiting vulnerabilities in Ivanti\u2019s corporate VPN software<\/a>. WithSecure said it could not yet attribute the activity to a particular threat group, though others have linked the past activity to a China-backed hacking group focused on espionage.<\/p>\n Security researchers at Sophos and Huntress both said last week that they had observed the LockBit ransomware gang launching attacks<\/a> that exploit the ConnectWise vulnerabilities \u2014 just days after an international law enforcement operation claimed to disrupt the notorious Russia-linked cybercrime gang\u2019s operations<\/a>.<\/p>\n Huntress said in its analysis<\/a> that it has since observed a \u201cnumber of adversaries\u201d leverage exploits to deploy ransomware, and a \u201csignificant number\u201d of adversaries using exploits deploy cryptocurrency mining<\/a> software, install additional \u201clegitimate\u201d remote access tools to maintain persistent access to a victim\u2019s network, and create new users on compromised machines.<\/p>\n It\u2019s not yet known how many ConnectWise ScreenConnect customers or end users are affected by these vulnerabilities, and ConnectWise spokespeople did not respond to TechCrunch\u2019s questions. The company\u2019s website claims that the organization provides its remote access technology to more than a million small to medium-sized businesses that manage over 13 million devices.<\/p>\n On Sunday, ConnectWise called off a prearranged interview between TechCrunch and its CISO Patrick Beggs, scheduled for Monday. ConnectWise did not give a reason for the last-minute cancellation.<\/p>\n Are you affected by the ConnectWise vulnerability? You can contact Carly Page securely on Signal at +441536 853968 or by email at carly.page@techcrunch.com. You can also contact TechCrunch via SecureDrop<\/a>.<\/em><\/p>\n