The February 2024 Self Hosted Screen Connect Vulnerability Explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

now that all the statements are out the proof of concept has been posted and there's announcement from connectwise I figure it's time to close the loop and talk about what happened with screen connect and what's going on moving forward this is still an actively exploited incident so exactly over isn't really what I would describe it as but in the process of being over based on the changes that they made so let's dive into [Music] this now the first thing I need to talk about is what is screen connect and how was on premise sold because this is a big piece of it screen connect now today is a great piece of software that you can use to remotely manage lots of computers take over desktops and this is used by it service providers to manage all of their fleeted computers so hey when you need help this is part of our managed agreement that we have screen connect on there and that we're able to then take control of that computer fix your outlook problem your printer problem Etc service that system this isn't just used by it companies that are external like us and they manage service fire space but also frequently used in the Enterprise Space by large universities school systems it is basically one of the most popular help Des tools out there and it's been around for a long time it was sold very popularly as a self hostable on premise solution this is actually what got me interested in it and I started using it back in 2014 and bought one of those on premise licenses they're I think still available today but they're not publicly listed on their site anymore so I had to use the Wayback machine to show how they were sold that being said they were not sold with the normal expiring license like you would see on a product today they were sold with hey if you buy this license you will continue to get support and updates but if the license expires you can continue to use it your end points won't go away but you can't load updates that's an important piece because what happens is people said well it works fine for the way it is I don't care about the new features I don't care about support because well it works and we're just going to keep using it unfortunately it's not just support or new features it's also security updates you're missing so some people just quit updating these and when a major flaw was discovered in this system this is what we did that live stream the other day about and I couldn't give details because any details given including how to detect it would actually tell you how the flaw works now the whole proof of concept is out and the details can be shared here's a video showing just how quick that this can be done thanks to hunus for putting this together proof of concept all the details are in the link she you'll find below obviously this is one of the worst case scenarios because this allows threat actors to not only take control of these systems but then they have all of these other computers at their disposal to do what they want with undoubtedly you know the more popular thing here in 2024 is going to be ransomware attacks but just the fact that they have system level access to thousands of systems so even though screen connect is not something that most end users have heard of the fact that for each Place using it whether it be a large University internal it team or the many many manage search Riders this means thousands of computers can be taken over for each one of these self-hosted instances and how many are there well according to showan thousands of them around 7 or 8 thousand depending on what type of search parameters you put in there that are the self-hosted ones showing up I didn't filter through all of it and even if it's a fraction of that that are actually real and not some type of Honey Pot there's still a lot of them out there this is why it matters now let's talk about the response and what is being done can connectwise did two really big things that I think are very good I'm praising them for this Behavior first connectwise decided to take the license and invalidate it so when these things do their license check-in even though they have the right to use it under the old terms and conditions they decided to invalidate the license and break those machines and you're going Tom why would you praise the company doing that hear me out they also have a patch that allows for on premise upgrades regardless of license status the problem I have is when I took the time to call Local Schools large scale schools entire districts using connectwise try to get a hold of their it people they haven't updated in years they don't seem enthusiastic about the thought of updating because it's a lot of factors involved in terms of when there's so many versions behind there is a path to get to the latest version but that being said you these companies are just using it or these school districts or these it people are just using it so getting them to actually shut these instances down is really really hard so by connectwise invalidating them they now forced to figure out what's going on kind of poke their head up from the unpatched world that they live in and go oh I think I might need to do something about the tool because the Tool's not working anymore but they're not being left out in the dark it's not costing them any money but it does take the time to upgrade they can go download this upgrade and without the status of their license being updated other than hey you can load this patch here and then upgrade and be patched but still be on your old leg license I think this is the best of both worlds I'm really happy this is the path connectwise chose to go because well connectwise in the past I don't think may have done that matter of fact I have a video all the way back in early 2020 from their interaction previously when it came to security and I don't think their posture then was as good but here in 2024 they're doing the right thing so I will hey give them a shout out for that now the cleanup work is still a lot there is a lot of in the interim between this being Discovery the proof of concept getting out there and uh threat actors actioning on it there's still a lot of companies that got hit I don't know exactly how many but from talking to my security friends it's not looking pretty for anyone who had these self-hosted instances that didn't jump on the patch uh as I said I was calling some of these people even called a local competitor so to speak uh that's in the same space as me and even they weren't aware of it because they were a couple versions behind you have to be absolutely on the latest version that is linked Down Below in the huntress blog post and the connectwise post and all these posts I have all the links to for those of you that want to dig deeper into this I just wanted to close the loop and get this video out there to let people know kind of why I did a weird live stream with a few of my friends and it's because this is a pretty serious issue we're users of screen connect so we were right away on top of the patches I stay very in tune with cyber security community and knowing what's going on but yeah this is a pretty scary event for anyone that's doing the self-hosting or anyone that doesn't have a really tight patch cycle in terms of hey there's a release yeah I'm going to get to that tomorrow no no you can't wait till tomorrow this went under active exploit this is actually why we were so tight lipped about it because the exploit being so trivial that even telling you how to detect the exploit or what to look for would actually be also telling you how to do the exploit and more people that know it there's either going to be people doing it for the haha just wanting to knock systems over or the much larger risk is thread actors actioning on this and taking over systems which is not the outcome anyone wants to see but leave your thoughts and comments down below like And subscribe see more content from the channel let me know if you think they were right or wrong with this move um and what do you think about security auditing this is a big challenge companies even when they go through code audit and code review things can be missed this was not easy to see even though it's a trivial one to exploit it wasn't easy to see how the code allowed this right away at least especially for me uh this is going to be where it's debated among security researchers who go that should have been obvious but this is why I push when anything publicly exposed code audits are really important and even when they're done sometimes still things can be missed so you have to stay vigilant make sure you're on top of these things and of course always have a plan [Music] thanks [Music]

Info

Channel: Lawrence Systems

Views: 11,230

Rating: undefined out of 5

Keywords: LawrenceSystems, ethical hacking, remote support, screenconnect exploit, screenconnect vulnerability, connectwise control, cybersecurity careers, remote access, remote support software, remote control, ScreenConnect 23.9.8

Id: FPOqY83-Y8k

Channel Id: undefined

Length: 8min 1sec (481 seconds)

Published: Thu Feb 22 2024