Although the news of the infamous ConnectWise flaw which allowed for the creation of admin accounts is a bit cold, it still is one that bears discussion and plays heavily into a broader conversation around proper security controls at the edge of the network. For those that might have been living under a rock for the last few months, let’s recap what the ConnectWise ScreenConnect flaw was.
In February of 2024 news began to flow across the internet of a pair of vulnerabilities in ConnectWise’s ScreenConnect service. The most concerning one was an Authentication Bypass (CVE-2024-1709), but also significant was a Path Traversal vulnerability (CVE-2024-1708). The Auth Bypass was pounced upon by security researchers to see what the big deal was. A few identified the what and the how, but decided to keep this internal until a patch or mitigation could be rolled out. Others were not so professional in their actions and pushed out the exact details on social media. This causes a resurgence of the debate over the release of Proof of Concept and/or tools to the public and how that impacts the cybersecurity landscape. It was not long after that CISA added CVE-2024-1709 to the Known Exploited Vulnerability list (the KEV).
I had an opportunity to talk with John Hammond at Huntress about this pair of vulnerabilities and what the significance would be to the industry. I went into the talk already knowing a bit about what was being claimed on the internet for CVE-2024-1709 (which would be dubbed Slash and Grab). However, I wanted to hear about it directly from one of the researchers that was working on not only what the flaw was and how to exploit it, but also the larger impact to the landscape. I decided to talk to Huntress because they were one of the groups that were not going to release details of how to exploit the vulnerability before ConnectWise was able to respond.
My first question was “is it really as simple as adding a slash and some random characters” … Of course, it was, and John showed me a quick demo and what could be done once the flaw was exploited. After seeing this I had to laugh because, in my head, this was not just an authentication bypass, this was an absolute failure of input validation on the part of the software. It is like the old “Johnny DropTables” joke, I never thought I would see this in real life. We went on to discuss the exploitation of this “flaw” by threat actors including the deployment of Ransomware, Cryptominers, Remote Access Tool installation, Cobalt Strike Deployments, and more. It was (and still is) significant in terms of the direct impact to the threat landscape.
John and the Huntress team made the comparison to the Kaseya incident and stated that this one might be worse in terms of overall impact. While I personally feel that Kaseya was a more significant breach, I can completely understand their thinking here. Kaseya was massive because the agent is exceptionally powerful in an environment (it was developed as an NSA tool after all). Once in a threat actor had a massive amount of control over the environment making expelling them very difficult. Here the impact is the easy of exploitation, making it trivial to get in, deploy tools, and profit across a wide range of targets.
ConnectWise, to their credit, owned up to the issue and putout mitigation methods and a patch very quickly. They added in mitigations to their cloud environment first (likely via a Web Application Firewall or other URL/URI validation method) while they themselves ran patched their servers. They also revoked licenses for unpatched servers to prevent exploitation, although there was never any indication of what this would do to prevent the situation.
Sadly, the damage was done by the time the mitigations and patches were rolled out. The bad guys had already latched onto the flaw with its easy exploitation and started their campaigns. The Huntress SOC released an overview on February 23rd, 5 days after the flaw hit the streets showing what threat groups were getting up to. This was a day after our call with John Hammond and shortly after the first ransomware attack on a local government’s systems.
Huntress was on top of this event from the beginning and have continued to monitor the situation and while this article might be late to the playground, the message behind it is certainly not. We continue to see flaws of this type identified in commonly used management software get popped while hearing about companies investing in “AI” like it is going to fix all the cybersecurity ills. Put a bit bluntly, if you are not protecting your environment, hardware, software, etc. from flaws like this, you really need to stop looking at AI and refocus on some of the basics. It is not enough to sit around and wait for groups like Huntress to show you how bad the next “$BigThing” is, you should be listening to them as they explain why that last one was and being proactive so you can nod along when the next thing hits, instead of scrambling to make sure you haven’t been owned.