Contents:
A subdomain related to ScreenConnect appears as an Indicator of Compromise (IoC) on CISA`s #StopRansomware: ALPHV Blackcat joint advisory update.
Fisa99.screenconnect[.]com, which is a ScreenConnect remote access domain, is listed in Table 4, as a network IoC.
In their advisory, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) also warned that ALPHV Blackcat affiliates are targeting the healthcare sector.
Additionally, on February 22nd, CISA added a critical vulnerability in ScreenConnect to their Known Exploited Vulnerabilities Catalog. The advisory urged U.S. federal agencies to patch vulnerable servers by February 29.
More about the ScreenConnect Vulnerability
CVE-2024-1709 is an authentication bypass flaw that attackers can use for direct access to confidential information or critical systems.
Hackers can exploit the ScreenConnect vulnerability to create admin accounts on publicly exposed assets. Further on, threat actors could act as a system admin.
The flaw`s CVSS score is 10, the highest possible. CVE-2024-1709 impacts ConnectWise ScreenConnect versions 23.9.7 and prior.
ConnectWise released a patch for the flaw in few days after discovering it. They advised admins using on-premise software to update servers to ScreenConnect version 23.9.8.
Ransomware groups are exploiting the ScreenConnect vulnerability
Few days after ConnectWise disclosed CVE-2024-1709, researchers found proofs that LockBit, Black Basta and Bl00dy are already exploiting the vulnerability.
LockBit managed to restore their servers, after law enforcement temporarily disrupted their activity.
Patching CVE-2024-1709 should now be a top priority for any Security Admin.
Some of the prevention measures CISA recommends against ransomware are:
- Periodically check for authorized and unauthorized devices and software in your network
- Patch known exploited vulnerabilities and CVEs
- Use multi-factor authentication and a strong password policy
- Close unused ports to avoid port scan attacks
- Remove unnecessary software
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.