Network Security, Threat Intelligence

Network compromise via ConnectWise ScreenConnect abuse ramps up

Credit: Adobe Stock Images

More advanced persistent threat groups have been exploiting the ConnectWise ScreenConnect remote monitoring and management tool to facilitate initial network compromise amid greater detection of AnyDesk abuse, Infosecurity Magazine reports.

Intrusions commenced with the utilization of ConnectWise ScreenConnect's management console to craft invite links or custom URLs in phishing schemes aimed at luring targets into downloading nefarious ScreenConnect clients, a report from the DarkAtlas research project showed.

Subsequent installation of such clients then prompts the registration of their binary as a Windows service for continued remote connectivity, according to researchers, who also discovered hostnames, encrypted keys, and IP mappings within the clients' configuration files, while providing key event logs produced by ScreenConnect during the malicious activity.

Combating the threat of illicit ScreenConnect usage necessitates increased vigilance on custom URLs and invite links, persistent client binaries, in-memory installer behavior, and related configuration files and event IDs.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds