ConnectWise ScreenConnect is currently being exploited on a large scale. These vulnerabilities are allowing attackers to deploy ransomware and exfiltrate sensitive data from the systems of over a million businesses globally.

Mandiant, a leading cybersecurity firm, reported on Friday that it has detected widespread exploitation of two significant security flaws in ScreenConnect, a tool that enables IT professionals to remotely access and support customer
systems via the internet. The identified vulnerabilities are CVE-2024-1709, an authentication bypass flaw that can be exploited with minimal effort, and CVE-2024-1708, a path-traversal flaw that permits remote attackers to inject malicious code, including
malware, into affected ConnectWise customer systems.

ConnectWise acknowledged these security issues on February 19, advising customers with on-premise installations to apply security updates immediately. Despite this, the Shadowserver Foundation’s data indicates that numerous servers
remain unprotected, with each server potentially managing up to 150,000 customer devices.

Mandiant has observed multiple threat actors exploiting these vulnerabilities, with a focus on deploying ransomware and engaging in extensive extortion campaigns, though specific groups responsible for these attacks have not been
pinpointed.

Additionally, Finnish cybersecurity entity WithSecure reported on Monday its detection of widespread exploitation by various hackers, noting the use of these vulnerabilities to implant password stealers, back doors, and occasionally
ransomware. WithSecure also discovered attempts to install a Windows version of the KrustyLoader back door on systems that had not been patched, a tactic previously associated with a group linked to Chinese espionage efforts, although direct attribution remains
uncertain.

Other cybersecurity organizations, including Sophos and Huntress, have reported similar findings, particularly identifying the LockBit ransomware group’s use of these flaws for attacks. This comes shortly after a significant law
enforcement effort aimed at disrupting this Russia-affiliated cybercrime syndicate.

Huntress’s analysis revealed a diverse range of malicious activities stemming from the exploitation of these vulnerabilities, including ransomware deployment, cryptocurrency mining, installation of additional remote access tools
for sustained network access, and the creation of new user accounts on compromised systems.
The full extent of the impact on ConnectWise ScreenConnect users or their clients due to these vulnerabilities is currently unknown. ConnectWise has not provided comments
in response to inquiries. The company claims to serve over a million small to medium-sized businesses, managing more than 13 million devices. A planned interview with ConnectWise’s CISO, Patrick Beggs, was abruptly canceled by the company without explanation.

Consequently, we recommend to uninstall the
ScreenConnect client from your devices until further notice.