Tuesday, April 29, 2025
HomeCVE/vulnerabilityHackers Actively Hijacking ConnectWise ScreenConnect server

Hackers Actively Hijacking ConnectWise ScreenConnect server

Published on

SIEM as a Service

Follow Us on Google News

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024, revealing two significant vulnerabilities in its self-hosted ScreenConnect servers.

These vulnerabilities were initially reported on February 13 through a vulnerability disclosure program and were not actively exploited until February 20.

The first vulnerability, identified as CVE-2024-1708, is a path traversal issue with a high severity score of 8.4.

- Advertisement - Google News

The second, CVE-2024-1709, is a remote code execution flaw with a maximum severity score of 10.0, indicating a critical risk.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Analysis by the Shadowserver Foundation, & Shodan search engine found over 8,200 publicly accessible, unpatched ScreenConnect servers, predominantly in the United States, Canada, and the United Kingdom.

Exploits and Malware Distribution

By February 21, a proof-of-concept exploit was uploaded to GitHub, and a Metasploit module for CVE-2024-1709 was released, making the vulnerabilities easily exploitable by hackers of varying skill levels.

Secureworks researchers discovered that several of their customers’ servers had been scanned for these vulnerabilities, with some showing evidence of intrusion.

One incident involved the execution of a Cobalt Strike Beacon payload through a compromised ScreenConnect server.

Another attack involved downloading a legitimate SentinelUI.exe file, a DLL, and an encrypted file containing an encoded payload.

This malware impersonated Microsoft Windows Update network traffic for communication.

Huntress and Sophos reported similar incidents where Cobalt Strike Beacon and other malware like LockBit ransomware and AsyncRAT were distributed after exploiting these vulnerabilities.

Organizations are recommended to immediately upgrade vulnerable ScreenConnect servers and conduct forensic examinations for signs of exploitation.

They also recommend using available controls to review and restrict access based on the indicators provided in their security bulletin.

Secureworks Counter Threat shared a list of IP addresses and domain names associated with the attacker infrastructure, MD5, SHA1, and SHA256 hashes of the distributed Cobalt Strike Beacon DLLs and other malware samples; the list can be found here.

Organizations should consider the risks before opening these indicators in a browser, as they may contain malicious content.

ConnectWise’s security bulletin serves as a critical alert for organizations using ScreenConnect servers to take immediate action to protect their networks from these serious threats.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...