Cyber Threat Intelligence Briefing - February 26, 2024

This week, we continue to cover the ConnectWise ScreenConnect vulnerabilities and United Healthcare Optum Breach and include a vulnerability roundup.

One / To Rule Them All

ConnectWise released a security advisory on February 19, 2024, for two critical vulnerabilities in their ScreenConnect software.  The two vulnerabilities are now identified as CVE-2024-1709 and CVE-2024-1708, and allow for authentication bypass and path traversal.

The most critical vulnerability of the pair, CVE-2024-1709, has a maximum CVSS score of 10.0, due to its ease of exploitation and remote code execution capabilities.

CVE-2024-1709, also known as "SlashandGrab", allows attackers to access the Setup Wizard page by simply adding a '/' character to the end of the '/SetupWizard.aspx' path.  With this access, the threat actor can easily create a new administrative user.  With this access, the threat actor can then leverage utilities such as certutil.exe to download and execute further malicious programs.  Multiple proof-of-concept exploits have been released in the wild, and the vulnerability is under active exploitation.

Threat actors exploiting this vulnerability have already been observed deploying ransomware, cryptominers, infostealers, and installing RMM tools and Cobalt Strike for further persistence.

ScreenConnect Remediation

Any on-premises instance of ScreenConnect should be updated to version 23.9.8 or later.

If the security update was applied after February 21, it is recommended to review the ScreenConnect host for signs of compromise, including reviewing the users.xml file for evidence of new user accounts and inspecting for webshells or other remote access tools that may have been installed on the device.

See the PacketWatch blog here for IOCs and threat-hunting queries.

Additional Resources

• https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
  
• https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
  
• https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/
  
• https://www.bleepingcomputer.com/news/security/new-screenconnect-rce-flaw-exploited-in-ransomware-attacks/
  
• https://www.bleepingcomputer.com/news/security/screenconnect-critical-bug-now-under-attack-as-exploit-code-emerges/

United Healthcare Optum Breach

On February 21, 2024, United Healthcare filed an 8-K to the SEC disclosing a cyber attack from still unidentified "nation-state" attackers. The attack impacted its payment processing subsidiary, Optum's Change Healthcare.

Due to this incident, the American Hospital Association issued a recommendation that "all health care organizations that were disrupted or are potentially exposed by this incident disconnect from Optum until it is independently deemed safe to reconnect to Optum".

The full extent of this incident and what, if any, data was taken are still unclear.

Out of an abundance of caution, PacketWatch recommends rotating credentials for accounts on United Health Group (UHG) and Optum sites and ensuring that multi-factor authentication (MFA) is enabled on these accounts. 

Additional Resources

• https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm
  
• https://www.bleepingcomputer.com/news/security/unitedhealth-confirms-optum-hack-behind-us-healthcare-billing-outage/

Vulnerability Roundup

CVE-2024-21410: Exchange Vulnerability Under Active Exploit

A critical vulnerability in Microsoft Exchange Server addressed in the February Patch Tuesday updates is under active exploitation. The vulnerability is tracked as CVE-2024-21410 and has a CVSS score of 9.8.

Per the Microsoft advisory, an attacker can "target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability, which can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."

In short, successful exploitation allows the attacker to authenticate as the targeted user (privilege escalation).

Administrators are urged to apply the Microsoft update as soon as possible.

Additional Resources

• https://msrc.microsoft.com/update-guide/releaseNote/2024-Feb
  
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21410
  
• https://thehackernews.com/2024/02/critical-exchange-server-flaw-cve-2024.html

CVE-2023-40057, CVE-2024-23476, CVE-2024-23477, CVE-2024-23478, CVE-2024-23479: Multiple SolarWinds RCEs

SolarWinds recently released a security bulletin detailing fixes for five new remote code execution (RCE) vulnerabilities in its Access Rights Manager (ARM) solution. Three of these vulnerabilities allow for unauthenticated RCE.

The vulnerabilities are tracked as CVE-2023-40057, CVE-2024-23476, CVE-2024-23477, CVE-2024-23478, and CVE-2024-23479, which affect ARM versions prior to 2023.2.3.

Administrators are urged to patch these vulnerabilities as soon as possible.

Additional Resources

• https://www.solarwinds.com/trust-center/security-advisories
  
• https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rce-bugs-in-access-rights-audit-solution/

CVE-2024-22245, CVE-2024-22250: VMware EAP Critical Vulnerabilities

On February 20, VMware released a security advisory detailing two critical vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP).

The vulnerabilities, CVE-2024-22245 and CVE-2024-22250, are authentication relay and session hijack vulnerabilities that allow a threat actor to "trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)."

Since this plugin was officially deprecated in 2021, the official guidance from VMware to address these vulnerabilities is to remove the plugins. Detailed guidance on how to remove the plugin can be found here.

• https://www.vmware.com/security/advisories/VMSA-2024-0003.html 
• https://kb.vmware.com/s/article/96442 
• https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-remove-deprecated-vulnerable-auth-plug-in/ 

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.