Security Leader’s TLDR: Optum Incident and ConnectWise Vulnerabilities
The 3rd week of February saw a very dangerous set of vulnerabilities exploited to impact Optum and caused data processing issues for many of their customers in the healthcare space. To many outside observers it seems that significant vulnerabilities in ConnectWise and ScreenConnect software were the likely initial attack vector.* The scope of these vulnerabilities – and the exploits they enable – are truly staggering. At a high level, malicious users can rewrite your ConnectWise environment, and reset user rights and access. This is full ownership of a remote access solution and deserves your immediate attention.
If you’re a healthcare organization, or healthcare adjacent, your organization likely counts Optum as a partner. This has likely impacted your ability to do business, at least in a peripheral way. Continuous monitoring, focused on traffic to and from Optum, is encouraged to ensure that their breach is not used as a pivot point to attack your environment. Following that up with a review of what data you’re sharing back and forth with Optum to understand and prepare for what their breach may mean for your – and your customers’ data – is recommended.
For ConnectWise customers, your cloud controller solution has already been patched. For on-premise/self-managed cloud deployments, patching is an absolute must.
But unfortunately, these vulnerabilities require more than just patching to at least version 23.9.8. Several additional recommendations should be implemented:
- Review recent logs for not just “direct” evidence – These vulnerabilities create a fantastic opportunity for malicious actors to gain initial access into your environment and then set up their own preferred access methods. So review those logs for indicators of other malicious activity beyond just exploiting these vulnerabilities. Work with your MDR provider to assist with this, and monitor with extra attention until you are confident you have no after effects.
- Rebuild your ConnectWise and ScreenConnect systems – Unfortunately, these vulnerabilities allow malicious actors to manipulate the configuration of your ConnectWise system and servers. Rebuild on different hardware/VM space when possible.
- Rotate accounts (or at least passwords) – Passwords, and where feasible, account names, should be changed for any administrative or system accounts associated with your ConnectWise and ScreenConnect systems, or any that shared a common password with those administrative accounts. As always, administrative accounts should rely on Multi Factor Authentication wherever possible.
For the general public, if ConnectWise isn’t part of your core infrastructure, you may wish to disable the execution of the ScreenConnect clients as their vulnerabilities can allow remote code execution on your endpoints running the client. Doing this via an EDR policy is one recommendation.
The impact of these vulnerabilities cannot be overstated. Expect to hear about additional breaches that may have been initiated through these in the coming weeks. Each environment’s risk posture is unique, but for most organizations with these tools, efforts should be made immediately to address these vulnerabilities. There are several useful resources for additional guidance concerning this incident, included below for further reading.
Details For Operators
Two Vulnerabilities
The first is a Remote Code Execution “style” attack, conducted through a simple modified url post. The application is widely used by managed service providers (MSP) to connect to customer environments. Considering the ease of exploitation, along with the impact of resetting the local user database, this vulnerability provides administrative access from the beginning to a remote user.
The first vulnerability can be paired with a second vulnerability, a path-traversal issue that allows unauthorized file access. ConnectWise ScreenConnect 23.9.7 and prior are affected by this path-traversal vulnerability, which may allow an attacker to execute remote code or directly impact confidential data or critical systems. Dubbed a “zip-slip attack” by Huntress Labs, it delivers a malware loader inside a zipped or compressed folder without any access restrictions to the zipped folder. Unfortunately, with the first vulnerability, it is easier for the threat actors to take advantage of the second.
ScreenConnect Critical Vulnerability Quick Points
Vulnerability: ScreenConnect Authentication Bypass
Potential Exploitation: Unauthorized access to ScreenConnect instances
Impact: Risk of data breaches, unauthorized system modifications, and service disruption
Mitigation: Applying patches or updates provided by the vendor for on-prem instances, and monitoring for suspicious activity.
Deeper Dive:
Vulnerability Report: Vulnerabilities were reported on February 13, 2024 concerning authentication bypass and improper limitation of directory paths.
Severity: Rated as critical, with a high priority due to the potential for remote code execution or compromise of confidential data.
Affected Versions: ScreenConnect 23.9.7 and earlier.
IOCs: ConnectWise has been made aware that the following IP addresses were used by threat actors exploiting this vulnerability
155.133.5[.]15
155.133.5[.]14
118.69.65[.]60
118.69.65[.]61
207.148.120[.]105
192.210.232[.]93
159.203.191[.]1
The following executables have been identified as malicious files dropped by the threat actors in documented breaches:
- megahealth.exe – ALPHV Windows Encryptor – 944153fb9692634d6c70899b83676575
- 363.sys -Anti Virus Tools Killer – TERMINATOR is an open-source tool written in C++ that reproduces Spyboy technique to terminate all EDR/XDR/AVs processes by abusing the zam64.sys driver – 341d43d4d5c2e526cadd88ae8da70c1c
- LMtool.exe – Suspected CobaltStrike BEACO – 34aac5719824e5f13b80d6fe23cbfa07
- Info.exe – CobaltStrike BEACON – eea9ab1f36394769d65909f6ae81834b
- him – ALPHV Linux Encryptor – 379bf8c60b091974f856f08475a03b04
- first.exe – SimpleHelp Remote Management tool – ebca4398e949286cb7f7f6c68c28e838
- conhost.exe – Tunneler Tool – c04c386b945ccc04627d1a885b500edf
- ibmModule.dll -Anti Virus Tools Killer – 824d0e31fd08220a25c06baee1044818
Other IoCs are available in the resource links shared below.
Instructions and Patch Link: Detailed instructions for updating to the newest release are provided, along with the link to download the patch from the ConnectWise ScreenConnect website.
Resources for further information:
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
https://services.google.com/fh/files/misc/connectwise-screenconnect-remediation-hardening-guide.pdf
*In the first days after the breach was announced, this was the common expectation from a wide number of third party security observers. The odds were in their favor: a massive vulnerability like the one in ConnectWise products announced within hours of a massive breach being announced at Optum and the pieces definitely fit. But there is a major problem with the observation – the only way to know for certain is for Optum to release a lot of investigation details that they may not choose to share, even with new regulatory requirements. This is the nature of any analysis of major data breaches without the victims themselves sharing details.
Alec Fenton is a cybersecurity expert with over 15 years of experience. For the past 12 years, he has specialized in cybersecurity, working in various roles from analyst to leadership positions. Known for his “lead from the front” style, Alec has tackled diverse cybersecurity challenges in both managed service providers and private companies. Currently serving as a technical advisor and customer advocate at Deepwatch for the past 2 years, Alec is dedicated to building cybersecurity resilience across the Deepwatch customer base.
Share