FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff
Article Id 301922

Description 

On Feburary 19,2024, ConnectWise ScreenConnect published a security advisory relating to 2 CVEs: CVE-2024-1708 and CVE-2024-1709

CVE-2024-1709 is an authentication bypass which allows attackers to create admin accounts on vulnerable instances.

 

After gaining access to admin account, attackers can exploit CVE-2024-1708 to remotely execute code on vulnerable instances.

 

ConnectWise recommends updating impacted products to version 23.9.8 or above to remediate these reported vulnerabilities

CVE ID    

CVE-2024-1708 (https://nvd.nist.gov/vuln/detail/CVE-2024-1708)

CVE-2024-1709 (https://nvd.nist.gov/vuln/detail/CVE-2024-1709)

NDR Cloud Detection Rule

The following detection rules detect the exploit used on vulnerable server instances of ConnectWise ScreenConnect:

Detection Rule Name

Category

Primary MITRE ID

FortiGuard Outbreak Alert: ScreenConnect Exploit to Vulnerable Server CVE-2024-1708

Attack:Exploitation

T1190 - Exploit Public-Facing Application

FortiGuard Outbreak Alert: ScreenConnect Exploit to Vulnerable Server CVE-2024-1709

Attack:Exploitation

T1190 - Exploit Public-Facing Application

 

Customers can use the following detections to identify which devices are running the ConnectWise ScreenConnect Software:

Detection Rule Name

Category

Primary MITRE ID

Potentially Unauthorized ScreenConnect Remote Administration Tool SSL Certificate

Posture: Potentially Unauthorized Software or Device

T1071 -  Application Layer Protocol

Potentially Unauthorized ScreenConnect Remote Administration Tool

Posture: Potentially Unauthorized Software or Device

T1071 -  Application Layer Protocol

Potentially Unauthorized ScreenConnect Remote Administration Tool HTTP Request

Posture: Potentially Unauthorized Software or Device

T1071 -  Application Layer Protocol

Playbook 

N/A

Threat hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “ConnectWise ScreenConnect Attack” related activities
IOC source:
https://www.fortiguard.com/outbreak-ioc?tag=connectwise%20screenconnect%20attack

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2050988 -> ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)

2050989 -> ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)

2050990 -> ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)

2050991 -> ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)

2050992 -> ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/connectwise-screenconnect-attack

Contributors