Analytics Story: ConnectWise ScreenConnect Vulnerabilities

Description

This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.

Why it matters

The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ConnectWise ScreenConnect Path Traversal Exploit Public-Facing Application TTP
ConnectWise ScreenConnect Path Traversal Windows SACL Exploit Public-Facing Application TTP
ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Suricata N/A suricata suricata
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1