This is a developing story.
Friday, February 23, 2024
The security vulnerability in ConnectWise ScreenConnect remote support tool, with both on-premises and in-cloud deployments, has opened the door to “nasty, nasty post exploitation,” says Matt Kiely, principal security researcher at Huntress, which has been working on the incident since it became public.
“I am not going to bury the lead. This is very bad,” he says.
ConnectWise alerted its user community about two vulnerabilities on Monday, one of which, the authentication bypass, has a critical vulnerability score of 10, the highest possible. The cloud deployments have been patched, but customers need to upgrade their on-premises deployment to version 23.9.8 immediately.
What makes this incident “scary” is how prolific ScreenConnect is, Kiely says. “The attack surface for this one is massive, absolutely massive. So many MSPs, so many local government organizations, anywhere that IT administrators need to be able to remote into things, ScreenConnect is a good option for them.”
Huntress has been issuing blogs to help users address the vulnerabilities, including detection guidelines.
The post exploitations Huntress has seen have ranged from “ransomware to cryptocoin miners to command and control beacons to persistence mechanisms,” Kiely says. “We have intervened and ripped the hackers out of those accesses when we can, but we don’t see the things that Huntress does not protect.”
Adds Matt Holland, founder and CEO of Field Effect, “The vulnerability in ScreenConnect sheds light on the need for organizations to understand what software and associated risks are present across managed environments. This is something that is a large focus of Field Effect’s MDR service.”
He continues, “We’ve seen cases where MSPs have taken action in updating their own ScreenConnect servers, but a third party who also had a presence in a network didn’t patch, which led to an organization being compromised anyway. Fortunately, we’ve detected and contained these incidents, but this same thing can continue to happen to MSPs, including those using the cloud hosted ScreenConnect. We’ve been strongly advising our partners to search for any unpatched third party ScreenConnect clients in their managed environments and either uninstall or block connectivity to unexpected remote hosted servers.”
How this will play out remains to be seen, but Kiely says, “I am hopeful we’re going to be fine. There have been big cybersecurity events like this in the past that we’ve made it through.”
However, he adds, “At the end of the day, you really cannot force somebody to patch. And so though ConnectWise has put some measures in place to accelerate the uptake of patching, that lag between when the exploit is discovered and when every last instance of that software is patched, I can’t predict the future. … but it can take months for people to get around to patching. I’m urging everybody … please patch.”
Thursday, February 22, 2024
ConnectWise is addressing a critical vulnerability discovered in ConnectWise ScreenConnect, its remote desktop and access software that enables MSP techs to directly access a user’s computer. The company has been alerting all MSPs using on-prem versions of the software to update it immediately. It has been “all hands on deck” according to ConnectWise’s Chief Information Security Officer Patrick Beggs.
“There’s a vulnerability in the software that allows a threat actor to be able to gain unlawful entry into that system and then use that screen connect software to do any number of things, including installing ransomware, exfiltrate data, steal data, attack the MSP, attack their customers,” explained Robert Cioffi, chair of the CompTIA’s voluntary Emergency Response Team (ERT) and chief technology officer and co-founder of Progressive Computing. Cioffi is also an IT Nation Evovle facilitator. “There’s a variety of different creative things that a threat actor could do. The reason this is such a big problem is because there are thousands of ScreenConnect instances out there that are unpatched. ConnectWise was alerted to the issue. They promptly created a patch for it and then went through a massive call and email campaign to outreach all of their customers to install this patch.”
In a blog post, ConnectWise said an independent researcher reported the vulnerability on February 13 through ConnectWise’s vulnerability disclosure process and the ConnectWise Trust Center.
According to ConnectWise, within 36 hours of confirming the vulnerability, the company applied a manual mitigation for all Cloud partners (ScreenConnect, RMM AND Automate/Hosted RMM). Completing this action meant that all Cloud partners were protected by February 16th without requiring ConnectWise to do a version update, meaning it would not reflect a version change for users.
Additionally, ConnectWise began upgrading all ScreenConnect and Automate/Hosted RMM Cloud partners to the latest 23.9 version. No further action is required from cloud partners using “screenconnect.com” cloud and “hostedrmm.com” instances.
In a live broadcast today on LinkedIn with CompTIA’s MJ Shoer, SVP, Executive Director, CompTIA ISAO (Information Sharing and Analysis Organization), Beggs provided updates on the situation. “ScreenConnect has a critical vulnerability score rated 10, which is about as high as you get,” he said.
“I’m confident that we took the right steps and I really appreciate the feedback from the community and the support from the community. Again, this doesn’t get us out of the woods yet. We’re still fighting the fight and we’re still helping our partners fight the fight. A lot of our ticket numbers are up and we’re knocking through ’em right now and assisting as fast and as hard as we can. It is an all-hands-on-deck endeavor, and again, the dust is going to settle and we’re going to share as much as we can on lessons learned from inception to recovery, as you should for any incident response.”
He added, “We know not all things are created equal. Not all folks have the ability to reply and to a patch as immediately as everybody would like.”
For more information about the security fix, go here.
Check back with MSP Success for ongoing updates on this story.
