TLDR:
Key points:
- CISA issued a notice to update or take offline ConnectWise ScreenConnect servers due to vulnerabilities.
- Exploits are already being seen in the wild, including ransomware, cryptocurrency miners, and remote access tools.
Article Summary
The Cybersecurity and Infrastructure Security Agency (CISA) has alerted ConnectWise partners and customers about the need to update or shut down on-premises ScreenConnect servers to address vulnerabilities that have been exploited in the wild, leading to various malicious activities.
Huntress, a threat hunting firm, has detected active adversaries using ScreenConnect access for post-exploitation, including deploying ransomware, coin miners, and other tools. UnitedHealth Group’s Change Healthcare experienced disruptions due to LockBit malware related to ScreenConnect vulnerabilities.
ConnectWise has urged users to update to version 23.9.8 or higher to address the reported vulnerabilities. CISA has added the ScreenConnect vulnerability to its Known Exploited Vulnerabilities Catalog, emphasizing the severity of the issue and the need for immediate action.
While some experts compare the exploit to previous major attacks like Kaseya and SolarWinds, ConnectWise CISO Patrick Beggs clarifies that it is a vulnerability exploitation and not a breach of ConnectWise infrastructure. However, security researcher John Hammond views the situation as a large cyberattack, emphasizing the urgency of responding and remediating the exploit.