SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)

Table of Contents: 

• Adversaries Deploying Ransomware
• Adversaries Enumerating
• Adversary Cryptocurrency Miners
• Adversaries Installing Additional Remote Access
• Downloading Tools and Payloads
• Adversaries Dropping Cobalt Strike
• Adversaries Persisting
• Wrapping Up
• Appendix

Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.

In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.

The adversaries taking advantage of this vulnerability have been VERY busy. There is a lot to cover here, so buckle up and enjoy some tradecraft! 

Adversaries Deploying Ransomware 

A number of adversaries leveraged their newly ill-gotten ScreenConnect gains to deploy ransomware. 

LockBit

With the impressive joint international takedown efforts to disrupt the LockBit ransomware group, many are asking how “LockBit” is still relevant. The LockBit deployments that we’ve seen are invoked with an encryptor that looks to be compiled around September 13, 2022—which is the same timeline as the leaked LockBit 3.0 builder in the past. One observed filename is classic LB3.exe, which again, matches the canned and publicly leaked builder.

We believe this is an important distinction. While the malware deployed appears associated with LockBit, there is no evidence we’ve seen suggesting the joint international takedown efforts are anything short of a landmark milestone to disrupt one of the largest and most active ransomware groups in the world.

We’ve included the resulting ransom note associated with the above executable. 

Other Ransomware Attempts

We observed other ransomware attempts, like upd.exe and svchost.exe, that Microsoft Defender consistently neutralized.

We also observed adversaries leverage certutil downloaded ransomware .MSI payloads, which they also made persistent via startup folders.

The ransom note from the threat actor who deployed the MSI has been included as well. 

Ransomware Anti-Forensics

Ransomware actors also tried to remove event logs via wevtutil.exe cl to frustrate investigators' analysis at a later time. Fortunately, Huntress Managed EDR is far too perceptive to entertain adversarial frustration. 😉 

Adversaries Enumerating

There was a particular adversary, using 185.62.58[.]132, executing a script on compromised systems across multiple unique victim networks. The intent of the script was to identify which of their compromised systems with the highest privileges.

We believe this demonstrates the scale with which threat actors are abusing this vulnerability as they are working to automate their understanding of where to take additional, post-compromise actions moving forward. 

Adversary Cryptocurrency Miners

Somewhat disappointing for a lack of originality, a significant number of adversaries used their ScreenConnect access to deploy cryptocurrency coin miners.

There was a particularly entertaining attempt to masquerade a coinminer as a legitimate SentinelOne file. 

We also observed adversaries downloading and using a xmrig cryptominer, with further details below. 

Adversaries Installing Additional Remote Access

Adversaries seemed to commonly install additional, “legitimate” remote access tools, likely as an attempt to remain persistent even once the ScreenConnect fiasco has been cleared up. 

Simple Help

An adversary we observed installed the Simple Help RMM, from their ScreenConnect initial access.

We observed the Simple Help RMM agent deployed in the following directories:

• C:\\Users\\oldadmin\\Documents\\Maxx Uptime remote connection\\Files\\agent.exe\
• C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\restricted\\SimpleService.exe
• C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe
• C:\Windows\spsrv.exe

We also observed a configuration file dropped to C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\serviceconfig.xml, which revealed it was configured to communicate to the public IPv4 91.92.240[.]71.

The user oldadmin was observed being used running similar commands across multiple unique victim organizations.

SSH

This threat actor leveraged their ScreenConnect access to download and run an SSH backdoor, seemingly to facilitate an RDP connection. 

Google Chrome Remote Desktop

We also observed an adversary do something quite interesting with Google Chrome’s Remote Desktop. They pulled the installer directly from Google infrastructure, which stores it as a service—no doubt in the hopes they could persistently and remotely access the environment via a second GUI remote access tool (we enjoy crushing hacker hopes here at Huntress).  

Downloading Tools and Payloads

A common tradecraft denominator between the adversaries we observed involved them downloading further tools and payloads.

For example, an adversary leveraged PowerShell’s Invoke-WebRequest (iwr) to call on additional payloads for their SSH persistent tunnel.

We also observed an adversary download the SimpleHelp RMM via curl and rename the executables to .png’s in an attempt to evade detection (spoiler: they did not evade detection). 

There was also this straightforward PowerShell downloading activity. However, the file was deleted, and their infrastructure was offline, meaning the file’s intent had not been determined. 

Download Evasion

We also observed adversaries leverage LOLBINs like certutil to download their payloads, likely in an attempt to fly under the radar.

Some adversaries maliciously modified the AV on the host before downloading their payloads. In this specific example, svchost.exe was deleted before analysis could be conducted. 

Adversaries also used their ScreenConnect sessions to reach out and download Cobalt Strike beacons from their external infrastructure. Specifically, this threat actor saved their beacon as a .PDF on a web server, renaming it to a .DAT on the targeted machine.

Transfer.sh

Interestingly, we observed an adversary mass download cryptocurrency miners using the temporary file upload website transfer.sh.

Excerpt of the script (full script in the Appendix): 

Adversaries Dropping Cobalt Strike

Unsurprisingly, many adversaries attempted to drop and run a Cobalt Strike beacon on the host. 

It’s also worth noting that Defender thwarted many of these attempts, as seen in Figure 20.

It was also common to see the same adversaries drop the (earlier mentioned SentinelUI) cryptocurrency miner and attempt a Cobalt Strike beacon, which Windows Defender would neutralize. 

Adversaries Persisting

Adversaries, of course, want to persist in an environment, beyond their initial access method—and for good reason. This ScreenConnect vulnerability had rapid mitigations suggested by Huntress and ConnectWise that would have undermined the adversary’s access. 

Creating New Users

Our SOC observed a number of adversaries prioritize creating their own users, once they landed on a machine, using naming conventions that would attempt to fly under the radar, as well as add these to highly privileged groups.

Persistent Reverse Shell

The SOC also observed an adversary transfer a C:\\perflogs\\RunSchedulerTaskOnce.ps1 from the ScreenConnect compromised, as confirmed from analysis of Windows Event Log’s Application.evtx - Event ID 0.

The script was in fact deleted, but could be partially restored by taking the PowerShell Operational EVTX and running this script, which re-stitched the script back together from its ScriptBlockId (excerpt of script below).

This would download a driver.dll, and leverage WMI Event Consumer / PwSH persistence (named System__Cmr).

Wrapping Up

This incredibly interesting ScreenConnect exploit has enamored many of us at Huntress for the last few days, but it’s a shame our adversaries didn’t commit to pairing this new exploit with new tradecraft.

It’s worth driving this point home: most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding. Most threat actors simply don’t know what to do beyond the same usual, procedural tradecraft; cybercriminals are rarely sophisticated, and the infosec community can beat them together.

Adversaries will default to their “tried and true” methods. An experienced, talented security team can neutralize most threat actors in the middle of their campaigns with ease. We hope this article inspires your security mindset. If you need any help monitoring for activity related to this vulnerability, you can use Huntress' free trial.

If you’re interested in more, come and check out the next episode of our Product Lab webinar, where we’ll be sharing even more technical details behind this threat and answer any questions from the community.

Appendix

ATT&CK

IoCs

Contents of inject.ps1 - Crypto Currency Miner

Acknowledgments

Thank you to the following Huntress SOC analysts for their triage and reporting of the various adversarial activities included in this report: Adrian Garcia, Amelia Casley, Chad Hudson, Dani Dayal, Christopher ‘Dipo’ Rodipe, Dray Agha, Faith Stratton, Herbie Zimmerman, Izzy Spering, Jai Minton, John ‘JB’ Brennan, Jordan Sexton, Josh Allman, Mehtap Ozdemir, Michael Elford, Stephanie Fairless, Susie Faulkner, Tim Kasper.

Special thanks to Josh Allman and Dray Agha for further analysis, and collecting and curating this blog.