Vulnerabilities identified in the remote desktop software ConnectWise ScreenConnect are being exploited to deliver a selection of different malicious payloads into enterprise environments. ConnectWise first disclosed the vulnerabilities on February 13, 2024. Then, attacks targeting the vulnerabilities started a day after the release of patches. One vulnerability, CVE-2024-1709, is an authentication bypass vulnerability with a CVSS severity score of 10. Vulnerability CVE-2024-1708 having CVSS severity score of 8.4 is considered a high-severity path traversal vulnerability.
Considering the severity of the flaws and the high chance of exploitation, ConnectWise advised admins to update their on-premise servers to the fixed edition right away. Proof-of-concept (PoC) exploits were released immediately after the disclosure and within 24 hours after the release of the emergency patches, hackers began exploiting the vulnerabilities. According to Palo Alto Networks, about 18,000 IP addresses are hosting ScreenConnect, but as of February 20, 2023, the ShadowServer Foundation states that most have been updated. As of February 20, 2024, about 3,800 ScreenConnect connect servers stayed exposed.
As per Huntress’ researchers, a request could be sent to a vulnerable ScreenConnect server that permits the setup wizard to be utilized, even if ScreenConnect was already set up, which enables an attacker to make a new administrator account and take full command of the ScreenConnect instance. The CVE-2024-1709 vulnerability has been added to the Known Exploited Vulnerability Catalog by the Cybersecurity and Infrastructure Security Agency on February 22, 2024.
The vulnerabilities affect ScreenConnect servers with version 23.9.7 and earlier. ConnectWise has stated that it has secured all screenconnect.com cloud or hostedrmm.com. On-premise end users need to upgrade to ConnectWise ScreenConnect 23.9.8 to stop the exploitation of the vulnerabilities.
Most Ransomware Victims That Give Ransom Payments Encounter a Second Attack
Paying a ransom may help recover encrypted files as threat actors normally remove stolen data files from data leak sites, however, victims that pay are usually hit by a second attack. These could be attacks done by the same threat actor or another ransomware group.
These double ransomware attacks are quite typical. Based on a recent study by the cybersecurity company Cybereason, 56% of companies surveyed have experienced not only one ransomware attack, and 78% of companies that paid a ransom payment encountered a second ransomware attack. For the second attack, 63% were required to pay a lot more. Out of the 78% of businesses that encountered a second attack, 36% stated the attack was carried out by the same ransomware attacker and 42% were executed by a new attacker.
The survey revealed the danger of paying a ransom. Only 47% of companies that decided to pay the ransom were able to retrieve their files, with the rest saying they either could not retrieve their records or they received corrupted files. Many victims of ransomware attacks, including HIPAA-covered entities, opt to pay a ransom to avoid the publication of the stolen data. Although ransomware groups typically erase stolen information from their data leak websites after a ransom is paid, there is no guarantee that the records will be removed. That data is valuable and can easily be sold to another attacker, so there is little incentive to remove it.
The danger of data disclosure is one of the primary reasons for paying ransoms, nevertheless, several factors compel attacked organizations to pay up, including no backup files, the time required to recover in case of not paying ransom, fear of loss of business, and a lack of employees to manage the attack.
Out of the 1,000 businesses surveyed, 84% mentioned they paid a ransom following a ransomware attack and the average demanded ransom was $1.4 million. Irrespective of whether the ransom is paid, the losses could be substantial s. 46% of companies that experienced an attack stated their losses were between $1 million and $10 million, and 16% mentioned they lost more than $10 million.
The following are the frequent initial access vectors in ransomware attacks:
- 41% are supply chain compromises
- 24% are direct attacks
- 22% are malicious insiders
The study additionally shows that many ransomware groups are taking their time to compromise as much of the network as they can. They steal huge amounts of information and only employ ransomware when they feel they can demand high payments. 56% of victims mentioned the attackers were inside their systems for between 3 and 12 months before deploying ransomware.