 We're live, guys, so before we say anything. Oh, we're live. We've got to start talking about things. Yes. I titled this video Not in Any Way to Be Clickbait. This is actually happening right now. Screen Connect, Vulnerability, and Exploit February of 2024. It is as simple as that. These two have been really busy. I reached out to a handful of people that I was happy. Everyone I talked to patched. So I didn't have the same experience Jason had reaching out to people. But essentially, there's a flaw that has been found in Screen Connect. I already seen enough Twitter posts and chatter. Someone's going to watch the world burn. They're going to drop the proof of concept. But there's already, as we know, probably stuff going on as it happens with things like this. Quick background for anyone that's never heard of Screen Connect. I've done several videos on it before. I know I have at least some of the MSP community that follows me. But essentially, there's a flaw in Screen Connect, which is a remote software tool that allows managers, providers, or actually colleges, universities, as other places. All kinds of problems we've seen, right? Yeah, to remote control systems. It's amazingly powerful. It's wonderfully useful in your hands as the IT admin. It's way less fun when threat actors get ahold of it. Yeah, true story. And the challenge is very limited right now to, at least at this point from an exploit potential perspective, to one, you host yourself. This is somewhat mitigated in the ones that are cloud hosted by ConnectWise themselves. This is really your patch challenge right now. And Jason, you've been doing some digging on just how many of them are available. I do want to make that clear at the beginning. Yes, there is a patch. It is solvable. Please watch this if you didn't hear that for. Stop watching us and go patch if you haven't done it. Yeah, yeah. If you've got one of these servers, it's not patched. Do that now. We'll talk to you later. It's cool seeing you, right? But, Slego, how many have you seen? I mean, I was looking at numbers over 6,000 today that I could check pretty quickly. I'm geofocusing it because you can only pull 1,000 at a time from the Shodan API. But, I mean, Shodan is retrieving 7,500. So there's a lot, right? Like, there's 7,500 that Shodan was able to index. I'm guessing there's plenty more that it doesn't have. I am starting to do some preliminary work. That's actually what I was talking about before. We got on here. I have a Shodan query written that's spitting out IP ports that I can now feed to a port scanner so I can go get the versions of it to try to calculate. Let's not overshare that part of it, Slego, as to what this looks like. But yeah, agreed. We're finding them in the ones that we know are going to be challenges from a vulnerability perspective. And essentially, what the task has to be is, unfortunately, some people who have set this up, self-hosted, they may not realize that this is going on. They don't follow the news. Maybe they watch my YouTube videos or something else, which is why we're throwing it here. I did leave a link to Huntress in a rapid response. I put that as the top link in this description because they have all the actionable updates for this, which is really just go patch. But if you know someone running this, if you're aware of this being used, and even if you're not the admin, say, hey, are we on the latest version? Ask someone on the chain. Kind of ask these questions. Send them a link to that that Huntress notice. Send them a link to the. We also, at the same time, apologize to all you practitioners. We just created a total storm for from that response. So there's this balance of that challenge. But we're seeing so many of these, right, slaggle. And I think the point is, ask your administrator. It's that critical. And here's why. Without saying exactly what it is, very trivially, it can be taken over and full administration capabilities gained with one single, essentially, set of scripts. You could do as Jason was doing, grab the information to find it, and then also exploit it and gain access to it. And then you have to think of what could happen to all those machines. We talk about this, what, 6,000, let's say, or 7,000, let's say, in servers. That could have 100 to 5,000 to 10,000 endpoints on it. Do that math. That's why this is so critical. Yeah. So anyways, yeah. So someone running ScreenConnect. I mean, this happened a couple of years ago where a ScreenConnect instance hacked a dental company. That was the cataclysm. I think this was around 2019. They hacked the ScreenConnect instance. This instant was how they managed all the dental software across the US. And so many dentists. It was a chain reaction of things all stemming from their ScreenConnect. That company didn't survive. Do we tackle this comment, Jason, or not? If you made a comment in here, whether we posted it or not, I don't know. And you have been locked out of a machine. Simply getting back to access may or may not be enough. You might wind up with machines with cobalt. Strike beacons on them from things we're seeing in some of the chatter. Other things that initial access capability has been made. So just do more review, obviously, to your point of looking for terminal IOCs on the back end. Yeah, good stuff, man. Oh, sorry. I had a small little heart attack for you there. But this is a behavior of what happens, potentially, right? That is a side effect of what happens when this is exploited. So if your file in the past 24 hours went missing and suddenly you're locked out, you can presume that nutty things happened. As to how many of those nutty things, it depends. I don't want to take my life. And how quick are you able to shut it down? Well, or at least hopefully remove network access to you preserve any type of forensics or information about what's been done on it, obviously, right? So for governance there. But yeah. I mean, more importantly, if you are an MSP and you have Screen Connect agents on your systems that aren't yours, and they are not version 23.9.8, you should probably just remove them. Because there's no easy way to tell if the server they're talking to is upgraded. And the last thing you want to do is have machines get owned because somebody else's Screen Connect instance is going to be desired in years. Dango says restore from backup, which isn't entirely true or valuable. Because what happens is I might have access to this Screen Connect instance. And let's stop just saying Screen Connect other than the fact that that's what happens to be we're talking about here. But because I've eroded access and I might have back end, I may have the ability to clean up my own tracks. I might have the ability to execute things on these remote systems. To your point, who said that, I think he's coming soon, you now have the ability to go dig for and look for those evidences that things have been in the logs of that potential victim system. But yeah, to your point, you can't just restore to backup. Or I guess to my own point, you can't self toss your own baseball to yourself. That was a total fail on my part. Yeah, sorry. Anyways, back to Utah. Yeah. No, like I said, we're doing this as a live stream just to try and get that information out there. What happens with any of these patches, for those of you that are wondering why the proof of concept is so quick, is you take the threat actor to the same thing that even the screen researchers do. We reverse engineer, we look at the differential between what the existing system is and what was changed in the latest update. And it turns out, well, as someone is going to learn in the future, this is really trivial, is the best way to describe it. It doesn't have that I've seen. It's got to connect wise. Has there been a CVS assigned to this yet? They're not, they're waiting. So they're waiting. CESA is waiting for the CVE number to be assigned before they're willing to announce it, which is silly. Daniel, we can't. We can't really. Yeah, OK. Well, we can't. I mean, shut down his channel and say whatever he wants to say. It's the web interface. I don't think that's telling too much. Yeah, yeah, yeah. Yeah. At least you know which one. I mean, it doesn't give you any better clue. If you spend about five minutes on Twitter, you're going to find it's right now. It's true. It's true. The big takeaway not to miss is patch, patch, patch, patch. If you're not in control, ask and be responsible, really respectful of the fact that they may or may not get you back. And this does come to a safeguard. If you're looking at CIS, in 7, there is a train, or in 14, there is a train your users to find out of date missing patches. There is an aspect of this. I guess I have to do my own check and find out of date patches and figure out exactly what safeguard, because I'm failing here, but it is late. So, yeah. Anyways, yeah, go ahead. I've noticed something someone had mentioned here, but I want to reiterate this. One, someone says application blocking. ScreenConnect runs a system, and you've already waitlisted it. So you've probably already waitlisted it. Yeah, hopefully not. Some of the shenanigans that they can do, but yeah, that's not. To Elaine's point of trying to at least reduce that impact, do you have from a glass radius perspective? Yeah, great point. What's the good version to have, Jason, if we haven't already said it? You need 23.9.8.8811. Yep. Yeah, so the three of us have done how I would hack you. At present, how I would hack you is I would just pop your ScreenConnect instance. Yeah, the second one, I don't even have to. That's your video on how I would hack you. This is now our easiest path forward and is now going to be a slide deck for how we would hack you. Even be nicer to leave a nice Easter egg of what you got in with, right? And you guys know what I mean. Yeah, but yeah. 239.888.8811. Thank you, Dengue. Is there anything else you gentlemen have to add to this? Because I know. I think there is an overarching question, and I love ScreenConnect to Death. I'm not beating up on connectors. I hope you understand we all are in this problem together. But I do think there's an overarching question that I would ponder as a practitioner. Do I always need on demand at all times connections to every device that I manage? We did that for convenience. It made it easier for us. And I have to hear somebody go, no, no, click top left. No, no, to the top. Yeah, up there. No, click on the right. It was to make it easier for us and faster for them and a better white glove experience. But the point is, are we starting to get to a point where you would reconsider that constant access? It's a real question I would have as a practitioner today. I don't know. What are your all thoughts on that, Jason? Yeah, I. Back and forth. Hi, I'm sorry. You didn't ask an easy question here, Matt. I know. I'm sorry. I mean, that level of access is what makes the business model possible, right? Like, it's, you know, you asked me, and I still owe you that slide deck for MSPs. Starts like the world without them as well. Right? Like the reality of the world and the situation we live in at the moment is the MSPs need that they have to have some method of remote access to these systems. I guess, in theory, you could do just on demand, right? Like you could just do support sessions and never do access sessions. Or even scripted or other methodologies that allow you a small delay, but an operational barrier or an administrative tactical barrier to entry for a threat actor. They don't just land on this perfect victim system structure, right? Like, there's thoughts that have to be applied to that in my mind. A lot of people turn off things like backstage mode, but like this, to my knowledge, this bypasses that. Like, literally, this creates an admin level account with all permissions. And you just turn it on. You just turn it on. And even if you don't just turn it on, right? Like, there's other things. If you can't directly edit the web.config, right? There's an extension. You can install that allows you to edit the web.config. Even if you don't do that, there's another exploit that was actually released on the same day, which is slightly less bad. It's an 8.4. It's a path traversal attack that allows arbitrary commands to be run on the ScreenConnect system itself. So if you chain those two things together, you can definitely get into a position where you can turn that stuff off. Yeah, yeah. The last piece. Or, Tom, your show, your stream, I'll show. No, no. I'm just not in my head or forever. Because there's not an easy answer. That is pseudo true. It is mitigated. It is not passed everywhere yet. But it is mitigated. Mitigated, OK. Two different things, yeah. Yeah. Yeah, and this is the balance point. Why are we doing this? It's because we're just trying to raise some awareness and get you to go patch if there is a situation. There, we are going to continue also reaching out to people. We may reference you to this video. If you have wound up here as a result of that, then, yeah. Yep, I'm sorry. This is what we're talking about. This is why we care. This is what we're doing. But yeah, that's pretty much it. Does it affect those with Duo MFA? Yes, absolutely 100%. Yes, 100%. Yeah. I mean, even a lot, if you're using that as well, it does not, it doesn't matter that this will. This is an application problem. Yep. And the one that is being dealt with in ways that I think might come out to be unique and probably something that I will raise a flag about how awesome it is and potentially if things continue with the way they're dealing with it. Yeah, so Travis says, read access to really navigate was hard. Yeah, true story. Right. Yeah, exactly. No, move the mouse left. No, don't move the left. There'll be other left. Yeah. Anyways, right to that point. And I'm not saying you don't have that, Travis. I think that's a great point to make. I'm saying, do I always have it on everything? Or do I find certain key users or once someone hits a certain hot button number of times or a certain key VIP or things even based on risk decisions, right? Maybe I don't want to keep direct access to that SCADA system, right? Jason, you and I've played with that game just recently in that conversation. So maybe there are things where we start making better decisions as to the breadth of where we leave continuous access and limit it to maybe frontline workers or people with less access or high level of triage necessary workers, things of that nature. So how does it different than in tune management? I'm sorry if I don't understand the question. Intune management is eventually consistent. True story. Yeah, accurate. That's accurate. Yeah, eventually being your definition. I used Intune since 2018. Now I'm married to her and I can't divorce her. Understand, this is one of those like mafia weddings, right? So I can't leave. But Intune is absolutely definitely, as Jason said, a little bit of this like rubber band effect on application where something like a screen connect, I can run this many commands through an API, done, right? As some agent based methodology. And so obviously that's why so many things. I will say I've been in a conversation with a very large vendor in the same Intune basis without ruining NDAs, but or that vendor, let's see even say is in the realm. And some of the conversations about maybe having some kind of a remote support always tend towards, you want always on the access why? And I think maybe what we're starting to look at is these are those convenience things we've done when there may be other methodologies we can create access vis-a-vis our own operational and control factors that we have, right? Yeah, so I digress. But no, gone further to the point of patch, patch, patch. Sorry. And we're dealing with the Swiss cheese of Microsoft. It is what we're always trying to wrestle with. All these tools are to wrangle the same beast across the world. True story today. True story. Oh, yes, I digress. OK. Anything else to add, Jason? No, I mean, I'm trying to, I'll have some stats here. It's going to take a little bit, but you may be able to enter the description of what I'm seeing parallelization looking like, essentially, or not parallelization patch status. Sorry, I'm reading the man page of GNU Parallel as we, as we're talking here, trying to figure out how to do this scanning I'm doing with system timeout. Yeah, so. There's a lot of people contacting more people. That's what we're going to go back to doing. So share with some friends. Let them know. If you know anyone who manages Screen Connect and you know what it is, tell everybody to patch it. That's all we got for you. Thanks. Yep, see you.