When alerts and headlines blare the warnings of a important vulnerability in extensively used software program, the response inside the cyber safety neighborhood have to be decisive and clear-cut.
This was exactly this state of affairs that unfolded earlier this yr on 19 February, when ConnectWise issued a safety advisory for all variations beneath 23.9.8 of their on-prem ScreenConnect product, a preferred software program used to handle programs remotely. The advisory referenced two vulnerabilities (CVE-2024-1709 and CVE-2024-1708) and urged customers to patch instantly.
Usually, this might not be a trigger for alarm. However with one of many vulnerabilities garnering a CVSS rating of 10, the best degree of severity, and the ConnectWise advisory rated “Important,” the information left the Huntress crew’s Spidey senses tingling.
Amidst the urgency and uncertainty, the Huntress crew stood on the forefront of the response and sprang into same-day motion. What follows is a behind-the-scenes take a look at the fast response, cautious coordination, and dedication to neighborhood safety that outlined that response.
The essential position of cyber groups: Placing experience into motion
In instances of important vulnerability and crucial motion, it’s paramount that cyber groups rapidly apply their collective experience to assist speed up response and remediation. Inside hours of the ConnectWise bulletin, the Huntress crew got here collectively to efficiently reproduce and develop a proof of idea that may weaponise the vulnerability for the authentication bypass, coining the time period “SlashAndGrab” for this seemingly primary exploit that left customers remarkably prone to threats.
Cyber groups sounding the alarm should work with warning and precision, emphasising severity whereas offering clear, actionable steps. On the time of the invention, the crew famous that greater than 8,800 ConnectWise servers remained weak. This necessitated the creation of a short lived hot-fix “vaccine,” together with clear directions for the way customers ought to proceed. We didn’t need customers to change into sitting geese with this vulnerability festering of their programs.
A playbook to navigate disaster
Mike Tyson famously mentioned that “Everybody has a plan ‘til they get punched within the face”. And when serving to the neighborhood via main incidents, you’re going to take just a few punches. That’s why groups should lean on expertise, set up playbooks and foster a tradition of communication with a view to construct the plan.
Step 1. Perceive what you are coping with.
Conditions just like the ConnectWise vulnerability require clear roles and communication, with each crew understanding the menace, the position they play and the fitting info to share. Whereas there weren’t many particulars supplied with the preliminary advisory, Huntress’ crew of menace researchers and SOC analysts instantly set to work attempting to study as a lot as potential about these vulnerabilities.
Alongside the best way, we began documenting the high-level, important info to arrange advertising and assist groups of their efforts. In a matter of hours, we have been capable of perceive the exploit and construct a proof of idea (PoC) exploit. It is a testomony to how primary this vulnerability was and the way straightforward it might be for an attacker to use it.
Step 2: Sound the alarm
It’s essential to sound the alarm in a manner that prompts motion and builds defences rapidly. Within the rapid aftermath of the advisory, the crew reached out to each Huntress accomplice who had a weak model of ScreenConnect and reiterated the necessity to patch instantly. We despatched over 1,600 incident studies to companions, with clear subsequent steps included, since we knew that fast communication and mitigation was key to closing the window of alternative for attackers.
One other layer of complexity: as soon as the Huntress crew simply recreated the exploit, we knew we didn’t wish to present public particulars concerning the vulnerability till there had been satisfactory time for the business to patch. It will be too harmful for this info to be available to menace actors and we didn’t wish to give them the informational equal of a loaded gun.
After all, it didn’t take lengthy earlier than the key was out. The exploit particulars have been shared by a number of events, turning into extensively accessible to the general public and hackers alike. We rapidly turned our consideration to serving to the neighborhood, releasing an in depth evaluation, offering detection steering and emphasizing the necessity to patch instantly. As soon as a proof of idea is on the market publicaly, broad communication will increase the probability that these impacted will obtain the notifications. The good thing about empowering defenders with the PoC and relevant defences reduces extra threat than attempting to cover it.
Step 3: Take daring motion
Moderately than sitting on our palms and ready for issues to get unhealthy (actually, actually unhealthy), we did one thing about it, releasing the vaccine hotfix to hosts operating the weak model. A hotfix might briefly thwart unhealthy actors whereas permitting customers time to patch and replace appropriately. Inside mere hours, our hot-fix and extra detection steering have been accessible and shared publicly by our crew, with step-by-step particulars for companions and affected organizations.
As extra info trickled in, we added new content material and data round all issues SlashAndGrab. When unsure, be proactive. A crew’s capacity to take issues into their very own palms and rapidly talk could make the distinction in how the neighborhood responds.
Sharper cyber groups = stronger response
To cite our CEO, Kyle Hanslovan, “This sh*t (was) unhealthy.” But it surely didn’t must worsen. With a coordinated response that features a strong playbook for navigating disaster occasions, cyber groups can change into a part of the answer and defend the neighborhood sooner and extra successfully.
