CVE-2024-1709 and a massive attack on US medical institutions

This article talks about 0-day vulnerability CVE-2024-1709, which allows you to bypass authentication and gain unrestricted access to servers and computers managed using ConnectWise ScreenConnect remote desktop software. This software is widely used in medical and pharmaceutical institutions in the United States, and appears to have been responsible for the ongoing massive attack on US medical and pharmaceutical institutions, in particular the largest insurance company, United Healthcare.

Chronology of Events

February 13, 2024a ConnectWise company informed its clients about the discovery of a vulnerability in ScreenConnect 23.9.7 (and lower) software that allows bypassing the authentication mechanism. The vulnerability has been assigned the identifier CVE-2024-1709. To fix the vulnerability, the company offered to update the software to version 23.9.8.

To update, users need to pay a subscription. The original license provides access to updates in within one year.

The vulnerability was assigned a CVSS (Common Vulnerability Scoring System) rating. 10/10. By comparison, the well-known OpenSSL vulnerability CVE-2014-0160, also known as Heartbleed, was ratings assigned 5.0 and 7.5.

According to CEO of the Huntress research group, tens of thousands of servers in the United States that control hundreds of thousands of endpoints are vulnerable.

February 14, 2024, Chairman of the House Intelligence Committee Mike Turner, issued a statement in which he spoke about a new threat to US security, without providing details. He also demanded that President Biden’s administration classify and publish information about this threat. Later, it was said that the threat was related to Russia’s intentions to use atomic weapons in space, but independent confirmation of this was never published.

February 20, 2024US Cybersecurity and Infrastructure Security Agency (CSIA), Federal Bureau of Investigation (FBI), National Crime Agency (NCA) published information about a joint operation codenamed Cronos against the Russian hacker group LockBit, specializing in ransomware attacks. The NCA calls LockBit the most malicious cyber criminal group in the world. The names of the group members were published, and the keys were revealed that allowed them to decrypt files encrypted by Ransomware from LockBit.

The dark web site controlled by the group was taken under control and deactivated.

February 21, 2024, a day after the publication of the special. operations, the largest insurance company in the United States, United Healthcare, published information that its Change Healthcare system, which contains medical records 85 million patientsand is also the only provider of prescription drugs to the US military, has been compromised. State Department offered a reward $15 million for information leading to the capture of group members and leaders LockBit. Independent sources also tie up attack with LockBit and vulnerability CVS-2024-1709.

February 24, 2024, the leader of the LockBit group, hiding under the nickname LockBitSupp, published a statement in which he criticized the Cronos operation and questioned its effectiveness. According to him, the group’s previously deactivated website has become accessible again. He also stated that the names revealed in connection with the Cronos operation were only aliases. LockBitSupp stated that the FBI is trying to destroy the reputation of him and his “organization” that deals with “postpaid pentesting.” He stated that he will continue to do this and “cannot be stopped.”

Description of the vulnerability CVE-2024–1709

ConnectWise ScreenConnect systems use asp.net for web browser administration. During initial installation, the user is prompted to open the Setup Wizard page (/SetupWizard.aspx) to create a new account and subsequently configure the system. After completing the initial setup, access to the installation panel is disabled and becomes unavailable.

The vulnerability lies in the fact that the check to see if the initial installation was completed was carried out inside the event handler OnBeginRequest only if the address indicated in Request.Path matched the string /SetupWizard.aspx . If the strings were matched, a further check was made to see if setup mode had completed, and if setup mode had already completed, the handler would return a 403 error, preventing access to the Setup Wizard page. However, if the line Request.Path does not match the address /SetupWizard.aspx then check was not implementedthe function returned OnBeginRequest and access to the requested page was allowed.

Thus, to access the Setup Wizard, it is enough to access any address that begins with /SetupWizard.aspxFor example /SetupWizard.aspx/literallyanything .

Because the /SetupWizard.aspx/literallyanything does not match the string /SetupWizard.aspx checking to see if the installation is complete, will not be fulfilledand handler OnBeginRequest will allow the request to continue processing, so anyone can Run the Setup Wizard again.

After an attacker gains access to the Setup Wizard, he can create a new administrator account and, using the Extensions functionality, download any arbitrary code that will be executed on the attacked machine from a system user.

conclusions

As of this writing, thousands of servers are still vulnerable to CVE-2024-1709, and United Health systems and many US pharmacies are still work hasn’t been restored yet.

Quote from Huntress researcher John Hammond:

It’s strange, because now our job has shifted to not being ahead of vulnerability, not understanding it, not sharing information, but watching how the Internet burnsand try to respond and correct everything in our power. We watch the world burn.

Links:

Post on Reddit by Subushie: link

Huntress IS Group Report: link