Production Perig - stock.adobe.c

When critical cyber response becomes second nature

When alerts and headlines blare out warnings of critical vulnerabilities in widely-used software, the cyber security community needs to adopt a more decisive and clear-cut approach, says Huntress' Chris Henderson

When alerts and headlines blare the warnings of a critical vulnerability in widely used software, the response within the cyber security community must be decisive and clear-cut.

This was precisely this scenario that unfolded earlier this year on 19 February, when ConnectWise issued a security advisory for all versions below 23.9.8 of their on-prem ScreenConnect product, a popular software used to manage systems remotely. The advisory referenced two vulnerabilities (CVE-2024-1709 and CVE-2024-1708) and urged users to patch immediately.

Normally, this would not be a cause for alarm. But with one of the vulnerabilities garnering a CVSS score of 10, the highest level of severity, and the ConnectWise advisory rated “Critical,” the news left the Huntress team’s Spidey senses tingling.

Amidst the urgency and uncertainty, the Huntress team stood at the forefront of the response and sprang into same-day action. What follows is a behind-the-scenes look at the quick response, careful coordination, and commitment to community protection that defined that response.

The crucial role of cyber teams: Putting expertise into action

In times of critical vulnerability and imperative action, it is paramount that cyber teams quickly apply their collective expertise to help accelerate response and remediation. Within hours of the ConnectWise bulletin, the Huntress team came together to successfully reproduce and develop a proof of concept that would weaponise the vulnerability for the authentication bypass, coining the term “SlashAndGrab” for this seemingly basic exploit that left users remarkably susceptible to threats.

 Cyber teams sounding the alarm must work with caution and precision, emphasising severity while providing clear, actionable steps. At the time of the discovery, the team noted that more than 8,800 ConnectWise servers remained vulnerable. This necessitated the creation of a temporary hot-fix “vaccine,” along with clear instructions for how users should proceed. We didn’t want users to become sitting ducks with this vulnerability festering in their systems.

Read more about the ConnectWise incident

  • Huntress said in a blog post this week that the ConnectWise ScreenConnect flaws, which have come under attack, were 'trivial and embarrassingly easy' for a threat actor to exploit.
  • ConnectWise ScreenConnect users who have yet to patch against a critical vulnerability are now being targeted by a barrage of cyber attacks, including ransomware.
  • More ransomware gangs have been observed exploiting two dangerous vulnerabilities in ConnectWise ScreenConnect software, prompting new warnings for users to get patching.
  • Coalition is latest company to confirm LockBit activity against vulnerable ScreenConnect instances. But the insurer found significant differences between previous LockBit attacks.

A playbook to navigate crisis 

Mike Tyson famously said that "Everyone has a plan ‘til they get punched in the face". And when helping the community through major incidents, you’re going to take a few punches. That’s why teams must lean on experience, establish playbooks and foster a culture of communication in order to build the plan.

Step 1. Understand what you're dealing with. 

Situations like the ConnectWise vulnerability require clear roles and communication, with every team understanding the threat, the role they play and the right information to share. While there weren’t many details provided with the initial advisory, Huntress’ team of threat researchers and SOC analysts immediately got to work trying to learn as much as possible about these vulnerabilities.

Along the way, we started documenting the high-level, critical information to prepare marketing and support teams in their efforts. In a matter of hours, we were able to understand the exploit and build a proof of concept (PoC) exploit. This is a testament to how basic this vulnerability was and how easy it would be for an attacker to exploit it.

Step 2: Sound the alarm

It’s important to sound the alarm in a way that prompts action and builds defences quickly. In the immediate aftermath of the advisory, the team reached out to every Huntress partner who had a vulnerable version of ScreenConnect and reiterated the need to patch immediately. We sent over 1,600 incident reports to partners, with clear next steps included, since we knew that quick communication and mitigation was key to closing the window of opportunity for attackers.

Another layer of complexity: once the Huntress team easily recreated the exploit, we knew we didn’t want to provide public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors and we didn’t want to give them the informational equivalent of a loaded gun.

Of course, it didn’t take long before the secret was out. The exploit details were shared by multiple parties, becoming widely available to the public and hackers alike. We quickly turned our attention to helping the community, releasing a detailed analysis, providing detection guidance and emphasizing the need to patch immediately. Once a proof of concept is available publicaly, broad communication increases the likelihood that those impacted will receive the notifications. The benefit of empowering defenders with the PoC and applicable defences reduces more risk than trying to hide it.

Step 3: Take bold action

Rather than sitting on our hands and waiting for things to get bad (really, really bad), we did something about it, releasing the vaccine hotfix to hosts running the vulnerable version. A hotfix could temporarily thwart bad actors while allowing users time to patch and update appropriately. Within mere hours, our hot-fix and additional detection guidance were available and shared publicly by our team, with step-by-step details for partners and affected organizations.

As more information trickled in, we added new content and information around all things SlashAndGrab. When in doubt, be proactive. A team’s ability to take matters into their own hands and quickly communicate can make the difference in how the community responds.

Sharper cyber teams = stronger response

To quote our CEO, Kyle Hanslovan, “This sh*t (was) bad.” But it didn’t need to get worse. With a coordinated response that includes a solid playbook for navigating crisis events, cyber teams can become part of the solution and protect the community faster and more effectively.

Read more on Data breach incident management and recovery