The ConnectWise cyberattack just got a whole lot worse

Days after releasing the patch, hackers started exploiting the flaws

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Therecent ConnectWise cyberattackmay have taken an unwanted turn for the worse after multiple security companies confirmed hackers are exploiting recently discovered flaws en-masse.

Last week, ConnectWise confirmed finding and patching two critical security vulnerabilities in its ScreenConnect product.

“Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center,” ConnectWise warned in a security advisory.

Major campaign

At the time the advisory was issued, the company had no evidence of exploitation in the wild, “but immediate action must be taken by on-premise partners to address these identified security risks," it warned.

The two flaws are now tracked as CVE-2024-1709 (authentication bypass flaw), and CVE-2024-1708 (path traversal vulnerability). The bugs could be used to drop malware on vulnerable ScreenConnect instances (versions 23.9.7 and older), and steal sensitive data - all without requiring user interaction.

ScreenConnect is a remote access platform, allegedly used by more than one million companies around the world.

A company spokesperson toldTechCrunchthe majority of its clients (80%) use cloud-based environments which were patched within two days.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Now, security researchers Mandiant, WithSecure, Sophos, and Huntress, all confirmed mass exploitation of the flaw. Even some high-profile names, such as the LockBit ransomware gang, were confirmed to have been using the flaw to deploy droppers.

Mandiant recently published a blog post saying it “identified mass exploitation." A few days later WithSecure observed “en-mass exploitation” from multiple groups using the flaws to drop password stealers, backdoors, and evenransomware.

Huntress said it observed “a number of adversaries”, including LockBit, which was recently a target of a major international law enforcement operation.

It is yet impossible to determine exactly how many firms were affected by the flaws, butTechCrunchreported that more than one million SMBs managing over 13 million devices are ConnectWise customers.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

One more AMD eGPU docking station goes on sale — but it doesn’t have USB 4.0, can’t accommodate an M.2 SSD and requires an OCuLink connector to feed the RX 7600M XT chip