Introduction
On February 23, 2024, Sophos published an article detailing multiple attacks that exploited vulnerabilities in ConnectWise ScreenConnect to deliver various malware payloads into business environments. This article will guide you in planning and executing a fire drill simulation based on this incident. You can find the original article at https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/.
Who Is This For?
This cybersecurity fire drill exercise is relevant for:
- Businesses using ConnectWise ScreenConnect or similar remote access tools
- IT and security teams responsible for managing and securing these tools
- Incident response teams preparing for potential attacks via remote access software
- Managed Service Providers (MSPs) using ScreenConnect to service their clients
Simulation Start Points
Consider the following starting points for your cybersecurity fire drill simulation:
- An employee reports unusual activity on their machine after a remote support session
- Your security monitoring detects an unauthorized new user account on a ScreenConnect server
- Suspicious PowerShell commands are executed from a ScreenConnect client process
- Endpoint protection alerts indicate attempted malware execution from ScreenConnect temp folders
Cybersecurity Fire Drill Simulation Phases
Walk through these incident response phases during the simulation:
- Detection and Analysis
- Investigate alerts related to ScreenConnect processes and identify indicators of compromise
- Analyze network traffic for communications with suspicious IP addresses or domains
- Containment
- Isolate affected systems and disable ScreenConnect clients until servers are patched
- Block malicious IP addresses and domains at the network perimeter
- Eradication
- Remove any malware, unauthorized accounts, or persistence mechanisms
- Patch ScreenConnect servers to the latest secure version
- Recovery
- Restore systems from clean backups where necessary
- Implement additional security controls around remote access tools
- Post-Incident Activity
- Conduct a root cause analysis and document lessons learned
- Update incident playbooks and security awareness training
Inject Ideas
Consider adding these injects to make the simulation more challenging:
- The attacker uses ScreenConnect to deploy ransomware that encrypts critical servers
- Investigation reveals the attack originated from a compromised MSP with ScreenConnect access
- Sensitive data is exfiltrated through the ScreenConnect tunnel before the breach is contained
- The attacker uses ScreenConnect to pivot to other parts of the network and establish persistence
MITRE ATT&CK Techniques
The following MITRE ATT&CK techniques may be relevant to this attack scenario:
- T1133 - External Remote Services
- T1068 - Exploitation for Privilege Escalation
- T1570 - Lateral Tool Transfer
- T1021.002 - Remote Services: SMB/Windows Admin Shares
Consider how the attackers might leverage these techniques and include relevant actions in your simulation.
Get a FREE Trial
ChaosTrack is a platform that combines the best of tabletops and trainings to run ripped-from-the-headlines cybersecurity fire drills against your whole company.