The SOC case files: XDR contains two nearly identical attacks leveraging ScreenConnect
Barracuda Networks, July 2,2025
Barracuda's Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software. The incidents were neutralized before the attackers were able to move laterally through the network.
Incident summary
Two different organizations spotted odd behavior on computers. One company found open tax software, and the other spotted unusual mouse movements.
In both cases, SOC analysts found rogue deployments of the ScreenConnect remote access and management software.
In Company A, there were signs of possible data exfiltration attempts linked to a convoluted series of malicious downloads.
Company B had evidence of malicious scripts and persistence techniques.
In both cases, ScreenConnect was installed surreptitiously with the installer masquerading as files related to Social Security matters.
SOC analysts were able to help both companies contain and neutralize the incidents.