CVE-2024-1709

Vulnerability updated 7 months ago (2024-05-04T19:56:22.337Z)

Download STIX

Preview STIX

CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response, which developed SQL scripts to identify machines running versions of ScreenConnect Server vulnerable to this exploit. Despite the release of patches to address these vulnerabilities, many systems remain exposed due to insufficient update practices. The exploitation of this vulnerability has been linked to numerous cyberattacks involving the delivery of various malicious payloads. Among the threat actors exploiting this flaw are the BlackCat, Black Basta, and Bloody ransomware groups. These attackers have used CVE-2024-1709 to create admin accounts, delete existing users, and take over vulnerable instances, causing significant damage and disruption to affected organizations. Notably, the BlackCat group denied using this vulnerability in attacks on Change Healthcare's network, despite contrary reports from sources familiar with the investigation. In response to these threats, Check Point's IPS blade provides protection against these exploits, including the ConnectWise ScreenConnect Remote Code Execution (CVE-2024-1708) and the ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1709). However, the continued exploitation of CVE-2024-1709 underscores the importance of prompt patch application and robust cybersecurity practices to protect against these types of vulnerabilities.

Description last updated: 2024-03-17T01:21:09.507Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

ConnectWise

Vulnerability

Screenconnect

Ransomware

CISA

Exploit

Traversal

Healthcare

Exploits

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Black Basta Malware is associated with CVE-2024-1709. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	4
The Lockbit Malware is associated with CVE-2024-1709. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2
The Toddleshark Malware is associated with CVE-2024-1709. ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think t	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bl00dy Threat Actor is associated with CVE-2024-1709. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i	Unspecified	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2024-1708 Vulnerability is associated with CVE-2024-1709. CVE-2024-1708 is a high-severity path traversal vulnerability that was discovered in ConnectWise's ScreenConnect software. This flaw, which affects versions 23.9.7 and earlier, allows a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request. ConnectWise d	Unspecified	5

Source Document References

Information about the CVE-2024-1709 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
DARKReading	6 months ago	500 Victims In, Black Basta Reinvents With Novel Vishing Strategy
CISA	6 months ago	#StopRansomware: Black Basta \| CISA
BankInfoSecurity	8 months ago	Likely Chinese Hacking Contractor Is Quick to Exploit N-Days
CERT-EU	8 months ago	GRIT Ransomware Report: February 2024 \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	Multiple Vulnerabilities Found In ConnectWise ScreenConnect \| Zscaler
CERT-EU	9 months ago	Cyber Security Week in Review: March 8, 2024
CERT-EU	9 months ago	How Ransomware Fallout Is Rippling Through the US Health Care System \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	North Korea’s Kimsuky gang joins rush to exploit new ScreenConnect bugs
DARKReading	9 months ago	North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware
CERT-EU	9 months ago	ConnectWise ScreenConnect Subdomain Listed as IoC in CISA's BlackCat Ransomware Advisory
CERT-EU	9 months ago	Critical ScreenConnect flaws exploited to deploy Babyshark malware variant
CERT-EU	9 months ago	ScreenConnect flaws exploited to drop new ToddleShark malware
Checkpoint	9 months ago	4th March – Threat Intelligence Report - Check Point Research
CERT-EU	9 months ago	Cyber Security Week in Review: March 1, 2024
CERT-EU	9 months ago	Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework - Help Net Security
CERT-EU	9 months ago	Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	ConnectWise ScreenConnect bug used in Play ransomware breach, MSP attack
CERT-EU	9 months ago	Healthcare in Crosshairs: ALPHV/Blackcat Ransomware Threat Escalates, FBI Issues Warning
CERT-EU	9 months ago	Black Basta Ransomware Attack: 5 New Victims Exposed \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting