CISA warns of ConnectWise ScreenConnect bug exploited in attacks

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about malicious hackers actively exploiting a recently patched vulnerability in ConnectWise ScreenConnect – a popular remote management and monitoring solution.

This vulnerability, if left unchecked, can lead to executing remote code on the server and could have severe ramifications for federal agencies in the U.S.

Background

In mid-February, ConnectWise patched a critical vulnerability (CVE-2021-3451) in ScreenConnect version 19.0, affecting the ScreenConnect.Common.dll.

This bug potentially allows an unauthenticated attacker to execute code on the server and could potentially lead to system compromise.

Latest Developments

The warning issued by CISA comes in the wake of reports of active exploitation of the vulnerability.

Attackers are capitalizing on the window of opportunity presented before organizations have had a chance to apply patches or take mitigating actions.

The actors are deploying scripts that involve downloading and executing malicious payloads from a remote server.

Impact and Mitigation

The exploitation of this vulnerability could have egregious consequences, including delegitimizing credentials, extracting sensitive data, and potentially disrupting critical operations.

Businesses and agencies using the impacted ConnectWise ScreenConnect version are urgently advised to update their software to the latest patched version.

In this regard, applying patches is a crucial first step.

However, organizations must also adopt a layered security approach.

This strategy may include utilizing threat hunting and intrusion detection tools, employing least privilege principles, implementing strong network segmentation, and regular security training for all staff.

The Larger Picture

This incident serves as a reminder of the importance of maintaining up-to-date systems and reiterates the ever-growing threat of cyber terrorism.

It is also indicative of the need for continuous vulnerability management and frequent software updates within every element of an organization’s IT infrastructure.

With the trend of remote work on the rise, the need for secure remote management and monitoring solutions is greater than ever.

Cybersecurity professionals are encouraged to continually monitor their systems and react promptly to vulnerabilities and patch notifications.

Follow-Up Reading

• 
  CISA’s Official Alert on CVE-2021-3451
  
• 
  ConnectWise’s Official Statement on the Patch
  
• 
  Threatpost’s Analysis of ConnectWise Vulnerabilities