ConnectWise has also reported several breaches of ScreenConnect accounts due to vulnerabilities CVE-2024-1708 and CVE-2024-1709. According to ShadowServer, approximately 93% of ScreenConnect servers remain vulnerable, and these security gaps have already been leveraged in ransomware attacks.
Given the escalating threat posed by these vulnerabilities, Action1 has developed two scripts to assist in scanning systems for possible remote-control software as well as indicators of compromise specifically related to this vulnerability as reported by BitDefender. These scripts were designed to be used in Action1 (instructions below) but can be used stand alone or with any endpoint management/RMM system.
How to identify unauthorized remote-control tools on your network
Remote control software is indispensable for productivity and remote support but can introduce vulnerabilities if not managed correctly. Likewise threat actors will often use commercially available tools to maintain control of compromised systems. Due to these being legitimate software products, they can often slide under the radar of your typical threat hunting tools. To assist IT administrators in safeguarding their networks, Action1 has developed a PowerShell script to assist with finding these tools for further scrutiny. This script is designed to provide comprehensive insights into the presence of common remote access applications, such as AnyDesk, ConnectWise, TeamViewer, Splashtop, among others, across networks. It can identify up to *147 known remote-control applications, reporting their versions for enhanced monitoring. This functionality enables detailed reporting, filtering, and alerting, specifically if the ScreenConnect agent, or any other agent, is outdated, potentially vulnerable, or unrecognized as legitimate. By utilizing this script, IT professionals can take a proactive stance in maintaining network security and ensuring the integrity of their own remote access tools.
The script to detect remote control software can be downloaded using the provided link or direct from our GitHub repository.
 scale(0.100000, -0.100000)' fill='%23000000' stroke='none'%3E%3Cpath d='M970 2301 c-305 -68 -555 -237 -727 -493 -301 -451 -241 -1056 143 -1442 115 -116 290 -228 422 -271 49 -16 55 -16 77 -1 24 16 25 20 25 135 l0 118 -88 -5 c-103 -5 -183 13 -231 54 -17 14 -50 62 -73 106 -38 74 -66 108 -144 177 -26 23 -27 24 -9 37 43 32 130 1 185 -65 96 -117 133 -148 188 -160 49 -10 94 -6 162 14 9 3 21 24 27 48 6 23 22 58 35 77 l24 35 -81 16 c-170 35 -275 96 -344 200 -64 96 -85 179 -86 334 0 146 16 206 79 288 28 36 31 47 23 68 -15 36 -11 188 5 234 13 34 20 40 47 43 45 5 129 -24 214 -72 l73 -42 64 15 c91 21 364 20 446 0 l62 -16 58 35 c77 46 175 82 224 82 39 0 39 -1 55 -52 17 -59 20 -166 5 -217 -8 -30 -6 -39 16 -68 109 -144 121 -383 29 -579 -62 -129 -193 -219 -369 -252 l-84 -16 31 -55 32 -56 3 -223 4 -223 25 -16 c23 -15 28 -15 76 2 80 27 217 101 292 158 446 334 590 933 343 1431 -145 293 -419 518 -733 602 -137 36 -395 44 -525 15z'/%3E%3C/g%3E%3C/svg%3E)
* Note: If you use the remote-control agent search script outside of Action1, by default the Action1 agent is excluded, but this is an easy edit to make the script detect it as well, just remove action1_agent.exe from the $ignore array variable.
How to Scan Systems for Indicators of ScreenConnect Compromise
This script developed by Action1, is designed to alert administrators to potential unauthorized access and malicious use of their hosts. BitDefender reported that systems that had been compromised using CVE-2024-1708 and CVE-2024-1709, would leave behind malicious files in the ScreenConnect extension directory to maintain persistence. The following script monitors that directory for signs of change. Note there may or may not be files already present in this directory for your implementation, this script is designed to keep record of what those files are and when last modified, so you can set up alerts detecting unexpected or unauthorized edits, creations, or deletions from this directory. Also note this script does not detect any malicious code indicators outright, so presence of files here should be investigated for legitimacy, and absence of files here only indicates this host was not compromised in this commonly reported way.
The script to detect CVE-2024-1708 & CVE-2024-1709 IOC can be downloaded using the provided link, or direct from our GitHub repository.
Using these scripts in Action1
Log in to the Action1 Platform or sign up for an account, the first 100 endpoints are free with no feature limitations.
No credit card. 100 endpoints free. No feature limits.
Then follow the instructions below for adding new data sources and reports to the system.
1. Click to create a new data source or follow these steps:
-
- Go to Configuration | Data Sources, click [+New]
- Enter data source name, such as ‘Remote Control Tools’, [Next]
- Copy and paste the script above, [Next]
- Run on a test endpoint*, [Finish]
*This step WILL run the script on the endpoint, so ensure whatever system is being tested on has a proper backup recovery procedure.
2. Click to create a new report based on the new data source or:
-
- Go to Real-time Reports & Alerts | Custom Reports, click +Add
- Select your new data source (e.g. ‘Remote Control Tools’)
- Enter report name, such as ‘Remote Control Tools’, [Next].
- Choose [Simple Report]
- Click [Add Columns] and add all columns, [Next], [Finish]
For more insights and updates, keep an eye on our blog and join our upcoming webinars.
