Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Administered by:

Server stats:

496
active users

101010.pl: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-alpha.5

#ConnectWise

1 post1 participant0 posts today
Andrew 🌻 Brandt 🐇

Last week I posted a thread about a #spam campaign delivering a #ConnectWise client as its payload. As of this morning, the threat actors have changed the payload (virustotal.com/gui/file/30e1d0) and it appears to try to connect to the address "relay.noscreener[.]info" which resolves to 104.194.145.66.

Embedded in the installer .msi file is a file called system.config, which contains this domain name and a base64-encoded string.

The fake Social Security website is still being hosted on a compromised site that belongs to a temp agency based on the east coast of the US.

Previous thread:

infosec.exchange/@threatresear

#malware#phishing#malspam
Continued thread
*
Andrew 🌻 Brandt 🐇

However, because this attack has been going on for two weeks, some endpoint protection tools (well, about a third of them) are catching on that this particular file is bad, and should feel bad.

virustotal.com/gui/file/13d71b

The most important lesson here is that attackers always come up with new ways to evade detection. Using a commercially available, normally legitimate remote access tool with a valid cryptographic signature lets the attacker bypass some kinds of endpoint detection.

Remember to check the From: address in emails, and the destination of any links they point to. You can do this by hovering your mouse over the link without clicking, and waiting a second. If it says it's from the SSA, but it isn't pointing to SSA.gov, then it's a lie.

If you find content like this useful, please follow me here, or on LinkedIn: linkedin.com/in/andrew-brandt-

9/fin

#spam#malware#malspam
Continued thread
*
Andrew 🌻 Brandt 🐇

When clicked, the button delivers malware, but it's an unexpected payload: A client installer for the commercial remote-access tool ConnectWise.

Every time I clicked the download link, it gave me the same file with six different random digits appended to the filename. Note that it is not, as the website implies, a PDF document, but a Windows executable file, with a .exe extension.

8/

#malware#spam#malspam
Continued thread
Andrew 🌻 Brandt 🐇

This is where I tell you: don't do this! I am a trained professional. I click all the bad links so you don't have to. I am going to show you what happens next.

A button appears on this page, labeled "Access Your Statement." The site serving up this payload delivers a file named "Social Security Statement Documents [six digit random number].exe"

7/

#malware#spam#malspam
Continued thread
*
Andrew 🌻 Brandt 🐇

Finally the target lands on a page on the InMotion site that closely resembles the look-and-feel of the content in the email message.

The page tells the visitor, in part "Download your statement as a PDF file" and "For security reasons, we recommend accessing your statement through your secure device."

Spoiler alert: It was not a PDF file.

(Edit: A reader informs me that this appears to be the hosting space used by the temp agency website, and that for whatever reason, the URL appears differently here.)

6/

#malware#spam#malspam
Continued thread
Andrew 🌻 Brandt 🐇

The target's browser then lands on another website, hosted by a large hosting service, InMotion Hosting. As with the temp agency website, the attackers have set up multiple URLs on this site, where the first URL performs a 302 redirect to go to the second URL, for no apparent reason other than to create the URL equivalent of a Rube Goldberg contraption.

5/

#malware#spam#malspam
Continued thread
Andrew 🌻 Brandt 🐇

That link then immediately 302 redirects the target's browser to a link on a second website, one that belongs to a temp agency based in the US state of Maryland.

The attackers have created two URLs on this company's site for this purpose. The first one redirects to the second one.

Again, the site appears to have been compromised and used specifically for the purpose of obfuscating the redirection chain.

4/

#malware#spam#malspam
Continued thread
Andrew 🌻 Brandt 🐇

In this attack, the spammers have been sending emails that look like this official-appearing notification from the Social Security Administration.

The message says "Your Social Security Statement is ready to review" and includes a button at the bottom labeled "Download Statement."

The button links to a shortened URL that uses the link-shortening service t.ly to lead the target to a chain of 302 redirects. Malware spammers often do this to fool web reputation services and obfuscate the final destination of the link.

2/

#malware#spam#malspam
James

This is probably only relevant to a *very* small number of people, but since I just spent all morning figuring it out…

If you are trying to get #ConnectWise (remote screen-share tool) working on #Pop_OS #Linux and the shellscript installer is just failing silently, and the client never launches, try installing the "icedtea-netx" package.

That seems to be installed on stock Ubuntu 22.04 desktop (or at least it was on my Ubuntu machines), but for whatever reason my Pop_OS machine didn't have it.

With it installed, ConnectWise suddenly works. Magic!

Glad CW supports Linux, but slight shade at having a setup script fail silently.

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

"🚨 Critical Vulnerabilities Alert in ConnectWise Software 🚨"

Two vulnerabilities have been identified in ConnectWise's remote desktop software, ScreenConnect, affecting versions 23.9.7 and prior. The first vulnerability (CVE-2024-1708) is a path-traversal issue allowing potential remote code execution or access to sensitive data, rated with a high severity score of 8.4.

The second (CVE-2024-1709) is an authentication bypass, considered critical with a severity score of 10.0, and is easily exploitable with existing proof-of-concept exploits. ConnectWise has issued updates for cloud-hosted instances, but self-hosted deployments need immediate patching. The exposure is global, with significant concentrations in the United States, and it's expected that cybercriminals and nation-state actors will actively exploit these vulnerabilities.

| ---- | ---- | ---- |
| CVE Number | Description | *CVSS Severity* |
| CVE-2024-1708 | ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | 8.4 High |
| CVE-2024-1709 | ConnectWise ScreenConnect 23.9.7 and prior are affected by an authentication bypass using an alternate path or channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | 10.0 Critical |

Professionals using ConnectWise must urgently patch their systems to mitigate these vulnerabilities. The discovery underscores the importance of rigorous security practices in protecting IT infrastructures.

🛡️💻🔐

Tags: #CyberSecurity #VulnerabilityAlert #ConnectWise #CVE2024_1708 #CVE2024_1709 #PatchManagement #ITSecurity #RemoteCodeExecution #PrivilegeEscalation

Source: Unit42 by Palo Alto Networks

nvd.nist.govNVD - CVE-2024-1708
runZero, Inc

ConnectWise has disclosed two serious #vulnerabilities in their ScreenConnect (formerly Control) remote access product. The first vulnerability allows attackers to bypass authentication to execute arbitrary commands with full privileges. The second issue is a path-traversal vulnerability that allows attackers to access restricted resources.

Learn more about the vulnerability: runzero.com/blog/finding-conne

Use runZero to find #connectwise ScreenConnect on your network: runzero.com/try/signup/

#runzero#rapidresponse
ExploreLive feeds
About