Response to ScreenConnect’s Recent Zero-day Vulnerability Exploitation

AttackIQ has released a new assessment template in response to the recent wave of zero-day vulnerability exploits affecting ConnectWise’s ScreenConnect software. This assessment template comprises the various Tactics, Techniques, and Procedures (TTPs) exhibited by several adversaries observed exploiting these vulnerabilities to deploy different families of Ransomware. Read More

On February 19, 2024, ConnectWise published a security advisory detailing the discovery of two significant vulnerabilities, CVE-2024-1708 (Path Traversal) and CVE-2024-1709 (Authentication Bypass), affecting ScreenConnect version 23.9.8.

Successful exploitation of these vulnerabilities allowed adversaries to gain unauthorized access and control over affected systems. The exploitation of these vulnerabilities was named “SlashAndGrab” by Huntress, due to the simplicity of adding a single forward slash character to the end of the address of a vulnerable ScreenConnect installation.

Following the announcement, researchers from Trend Micro and Huntress detected that these vulnerabilities were being actively exploited for the deployment of ransomware, leading to considerable disruptions and potential damage to businesses relying on this software.

Detailed analysis of these activities allowed to associate the exploitation of these vulnerabilities with various ransomware groups, including Black Basta, LockBit, and Bl00dy.

AttackIQ has previously emulated Black Basta behaviors in an intrusion chain that is associated with the second-stage modular backdoor known as QakBot.

In turn, AttackIQ has previously emulated activities associated with LockBit ransomware on three occasions in response to CISA Advisories AA23-075A, AA23-165A, AA23-325A.

AttackIQ has released a new assessment template that emulates various Tactics, Techniques, and Procedures (TTPs) exhibited by several adversaries observed exploiting these vulnerabilities to deploy different families of Ransomware with the aim of helping customers validate their security controls and their ability to defend against this recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Assess your security posture against a newly discovered threat associated with high-calibre adversaries.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

SlashAndGrab – 2024-02 – Associated Post-Exploitation Tactics, Techniques, and Procedures (TTPs)

This assessment template emulates the various Tactics, Techniques, and Procedures (TTPs) exhibited by several adversaries observed exploiting these vulnerabilities to deploy different families of Ransomware following successful exploitation of CVE-2024-1708 (Path Traversal) and CVE-2024-1709 (Authentication Bypass).

The template is divided into Tactics, and these group the Techniques and Implementations exhibited by several adversaries during their activities.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

System Binary Proxy Execution: Msiexec (T1218.007): This scenario executes a Windows Installer Package (MSI) using the msiexec.exe utility.

System Binary Proxy Execution: Rundll32 (T1218.011): RunDll32 is a native system utility that can be used to execute DLL files and call a specific export inside the file. This scenario executes RunDll32 with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.

2. Persistence

Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Logon Autostart Execution: Startup Folder (T1547.001): The Startup folder is a directory associated with the Windows Start Menu that can be used to launch a process at Windows logon. This scenario creates a LNK file in this directory that would execute at next logon for all users.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.

Windows Management Instrumentation (T1047): WMI can be used to launch an executable or command when a common event consumer is triggered.

Create Account: Local Account (T1136.001): This scenario creates a new account using net user to ensure persistence in the system.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Add-MpPreference cmdlet to add a directory to the exclusion list in Microsoft Defender.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference cmdlet to modify the DisableRealtimeMonitoring in Microsoft Defender.

Valid Accounts: Local Accounts (T1078.003): This scenario will attempt to add a local user to a local Administrators group using the net localgroup command.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

4. Command and Control

Techniques that adversaries may use to communicate with systems under their control within a victim network.

Remote Services: SSH (T1021.004): This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

5. Discovery

Techniques that adversaries use to discover information related to the compromised environment.

Remote System Discovery (T1018): This scenario will search for other domain computers using the net group command.

Permission Groups Discovery (T1069): This scenario will enumerate permission groups using the net group /domain command.

Remote System Discovery (T1018): This scenario executes the nltest command to gather a list of domain controllers associated with a domain.

Domain Trust Discovery (T1482): This scenario calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains associated with this host.

Remote System Discovery (T1018): This scenario executes the PowerShell GetCurrentDomain() command to retrieve domain information.

System Information Discovery (T1082): This scenario executes the Get-WmiObject Win32_LogicalDisk command via PowerShell to obtain the device ID of the logical disks.

System Information Discovery (T1082): This scenario executes the Get-WmiObject Win32_ComputerSystem via PowerShell to obtain detailed information pertaining to the compromised host.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by these threats, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review ConnectWise’s Patching and Detection Recommendations

ConnectWise has provided a number of recommendations for defending yourself from exploitation of these widely known vulnerabilities. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. System Binary Proxy Execution: Rundll32 (T1218.011):

Adversaries may use DLL files for many of their malware payloads and leverage a native Windows utility to execute them. The primary native method for executing these files is to call the RunDll32 tool and pass along the path and export function to be executed.

2a. Detection

While this tool is commonly used by legitimate applications, there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories, that don’t have the standard .dll file extension, or call strange looking export names can stand out from regular user behavior.

Process Name == (rundll32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’ OR ‘%APPDATA%’)
Current Directory CONTAINS (‘D:\’ OR ‘E:\’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendation:

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the activities associated with these threats. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.