Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect.
These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin.
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The authentication bypass vulnerability is considered to be trivially exploitable, and proof-of-concept exploits are already available.
We assess with high confidence that this vulnerability will be actively targeted by various types of threat actors, including cybercriminals and nation-state actors, given the severity and scope of the vulnerability and the nature of the impacted product.
Earlier scans showed that nearly three-quarters of these hosts were in the U.S. The top ten countries accounted for over 95% of global exposure.
Our observations are summarized in Figure 1 and Table 1.
Top ten countries with ConnectWise ScreenConnect exposure.
The ConnectWise bulletin indicates that ScreenConnect servers hosted in screenconnect[.
Com have been updated to remediate the issue and no end user action is required.
For those with self-hosted or on-premise deployments, the guidance is to patch as soon as possible.
Unit 42 will continue to monitor the situation and will update this post as more information becomes available.
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
Advanced URL Filtering categorizes exploit and scanning attempts as Scanning Activity.
Cortex XDR and XSIAM. Cortex XDR and XSIAM help protect against post-exploitation activities using the multi-layer protection approach.
Cortex Xpanse has added Attack Surface Rules for both generic ConnectWise ScreenConnect as well as known insecure versions of identified ConnectWise ScreenConnect instances.
These rules are also available to XSIAM customers who have purchased the ASM module.
Cortex Xpanse has published a new Threat Response Center event for this pair of vulnerabilities.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Thu, 22 Feb 2024 01:43:06 +0000