Cybersecurity experts have issued alerts about increasing attacks on the remote desktop solution, ConnectWise ScreenConnect, leveraging a severe security flaw.

Security firms have noted a surge in attacks against ConnectWise ScreenConnect by cybercriminals. Sophos has identified instances where the LockBit ransomware is being spread by associated attackers. A critical vulnerability, identified as CVE-2024-1709, is being exploited on a large scale, according to Shadowserver, with over 8,200 exposed instances and 643 IP addresses identified in attack efforts. The Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity of this flaw, scoring it a 10 (the highest level of severity) and has included it in its catalog of Known Exploited Vulnerabilities, signaling an urgent risk to federal systems and mandating timely mitigation actions.

Cyber adversaries are actively targeting a critical vulnerability in ConnectWise ScreenConnect, shortly after the service urged users with on-premises installations to apply updates. ConnectWise has advised updating to version 23.9.8 or newer to mitigate the risk. The company is also taking measures to disable services for users who have not updated to the latest, more secure versions.

“Within the last 48 hours, we’ve observed various attacks targeting ScreenConnect,” stated Christopher Budd, from Sophos X-Ops Threat Research, highlighting the use of a malware constructed with the leaked LockBit 3 ransomware builder tool of 2022, which might not be directly associated with the original LockBit creators.

The attacks also include the deployment of other malicious software against ConnectWise ScreenConnect users, such as remote access trojans, information stealers, password theft tools, and various ransomware strains, suggesting a broad spectrum of attackers, according to Budd.

Sophos is further examining the involvement of another critical vulnerability, CVE-2024-1708, in these incidents.

“Our analysis of the complete attack methodologies is ongoing,” Budd remarked.

Rapid7’s threat intelligence director, Caitlin Condon, reported observing these exploits across several client networks, noting a variety of post-compromise tactics with no clear pattern regarding the types of organizations or sectors targeted.

ConnectWise has promptly responded to these vulnerabilities, ensuring that cloud-based partners received automatic protections within 24 hours. Nevertheless, the firm has yet to confirm any direct association with specific cybersecurity incidents.

“As of now, a direct connection between the exploited vulnerability and specific security breaches has not been established,” the company communicated.
The total number of ConnectWise ScreenConnect customers or end-users impacted by these vulnerabilities is still unclear, and ConnectWise has yet to respond to inquiries for comment. The company advertises its remote access technology to over a million small and medium-sized businesses, overseeing more than 13 million devices. Additionally, a previously scheduled interview with ConnectWise’s CISO Patrick Beggs was unexpectedly canceled by the company without provided reasons