Ransomware Affiliates Targeting ScreenConnect Cloud Instances

The Pondurance research team is aware of at least one major campaign to infiltrate and take over cloud management consoles for ConnectWise’s ScreenConnect remote monitoring and management product, which is considered one of the most utilized products in the IT management space. 

This approach utilizes two major areas of concern: the registering of foreign domains that use ScreenConnect.com.<countrycode>namespace (e.g., ScreenConnect.com.so), which are extremely effective at social engineering users, and the ability to create local accounts with unregistered email addresses within the console itself to bypass existing controls. Below are two examples of registered domains abusing ScreenConnect’s name within top-level domain space in Cameroon (.com.cm) and Somalia (.com.so). Pondurance has shared indicators of compromise with the incident response team at ConnectWise.

This first area of spoofing the valid website, Screenconnect.com, is sent as a redirect from AWSTrack.me, which is a legitimate, AWS-hosted click-and-track tool.

The threat actor’s phishing kit captures multifactor authentication to initiate a session into the administrator console. ConnectWise ScreenConnect Cloud is particularly effective at session timeouts, requiring reauthentication. Thus, attacks that utilize session tokens, like those in Microsoft 365, appear to be mostly mitigated. Therefore, the threat actors abuse a separate component of the console to survive the timeout.

Pondurance’s research indicates that threat actors are able to create a new user and delegate administrative privileges, regardless of whether the new user’s email is valid. It should be noted that new registrants for a trial version of ConnectWise must be for a valid company email and cannot use common email providers such as gmail.com. However, after creation, no such constraints or limitations are applied by default. For example, Pondurance was able to create a local account for test@pppondurance.com, where pppondurance.com does not require verification and where @pppondurance.com is not a valid domain or email address. While creating a new company domain and applying a new MX record are rather trivial, these actions would add time to scaling this criminal campaign. Moreover, this local account can bypass existing security controls applied to the organization’s tenant.

The campaign ultimately results in ransomware deployment through the product itself, with a normal life cycle of reconnaissance, credential harvesting, backup deletion, and antivirus disabling.

Pondurance understands the phishing emails are acting as fake New Login on Your ScreenConnect Instance notices from ScreenConnect. Below is an image of a legitimate notice from ScreenConnect for login activity. It is important to note that the legitimate notice contains no link to Review Activity and asks you to log in to the portal on your own accord. Pondurance is aware that links once legitimately existed in these notifications, but have since been removed by ConnectWise at some point in the previous year. Pondurance advises that clients should not click on any link associated with these login notices that may appear as "Review Now".