Two newly reported cyber breaches affecting MSPs come as a reminder of the risks providers face in managing client environments. One breach involved the ConnectWise ScreenConnect remote software application, and the other affected the RMM tool SimpleHelp.
ConnectWise, in a statement, said the attack on ScreenConnect likely was “tied to a sophisticated nation state actor.” In the other incident, attackers broke into an MSP’s SimpleHelp instance to deploy DragonForce ransomware across multiple endpoints and exfiltrate data, according to Sophos.
“The ConnectWise ScreenConnect attack reconfirms that supply chain threats are a critical focus area for anyone trying to reduce risk. MSPs create an aggregation point for attackers to target, granting broad access to customer environments and supplemental data about those environments,” said James Shank, director, threat operations, at cybersecurity provider Expel.
ConnectWise ScreenConnect Has Been Targeted Before
In February 2024, ConnectWise alerted users to vulnerabilities affecting on-premise and cloud deployments. The company patched cloud instances, but on-premise implementations required MSPs to do an upgrade. Meanwhile, attackers sought to infiltrate systems and deliver malicious payloads.
The breach disclosed this week “affected a very small number of ScreenConnect customers,” according to ConnectWise. A prepared statement provided scant details but said ConnectWise alerted law enforcement of the breach and retained cyber defense company Mandiant to investigate it. “The security of our services is paramount to us, and we are closely monitoring the situation,” the company said.
All affected customers have been contacted, ConnectWise said. “As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment.”
Following disclosure, MSPs rushed to check if their customers were hit. Some found evidence of the attack but that wasn’t the case with ECW Network & IT Solutions. ECW President Eric Weast said his team scanned customer instances of ConnectWise to make sure. As a matter of routine, ECW limits the footprint of ConnectWise and other remote tools, such as LogMeIn, TeamViewer, GoToMyPC, Chrome Remote Desktop, Bomgar, and Anydesk, to avoid issues.
ECW runs a script that alerts his team of activity, such as new installs, involving these tools and then deletes them automatically. “Don’t trust any of these tools if they’re not yours. If you don’t use it, block it,” he warned.
It’s a practice he recommends for all MSPs and MSSPs as part of a multilayered approach to protect customers.
Oli Thordarson, founder and CEO of Alvaka, an MSP based in Irvine, California, with a ransomware recovery service, said their service has helped a number of companies impacted by the ScreenConnect breach. His ransomware recovery service started getting calls in mid-May, he said.
“We’re basically hired to contain the threat, lock the system down, and eject the threat actor,” Thordarson explained. “And then we get hired to rebuild all the stuff that’s been destroyed in that process. In a high percentage of our cases, we’re also engaged to … decrypt the files. In most of our cases that we get pulled into, the backups have been deleted or encrypted, and the client is having to pay the ransom.”
He added, “The clients are a lot more secure when we’re done with the case than they were beforehand. We help do a lot of securing on the system, and we go through a 300-point checklist of things that we do to help lock the system down, and then we go through the decryption work stream to get the files working for them again.”
Remote Tools: Risks and Rewards
Chris Henderson, CISO of managed security provider Huntress, said MSP remote tools offer risks and rewards. They give providers access to customer environments without site visits, but “these tools are ripe for abuse.”
Risks include potential attacks against RMM vendors and the software’s susceptibility to vulnerabilities. “Even with the best identity controls in place, an unpatched vulnerability or zero-day exploitation can allow our adversaries access to clients machines,” he said.
MSPs’ access to the tools creates another attack vector, he said. And that’s what happened in the SimpleHelp attack.
The SimpleHelp Attack
Sophos said it was “alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file.” The installation was pushed through a legitimate SimpleHelp RMM instance hosted by an MSP. The attacker snagged information from customers of the MSP such as device names and configuration, users, and network connections, according to Sophos.
The attacker employed a double extortion tactic to pressure victims into paying the ransom, which involves threatening both encryption and data leaks,” Sophos said.
A client of the MSP uses Sophos XDR endpoint protection, and Sophos thwarted the attacker on that client’s network. “However, the MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration.”
SimpleHelp is a software developer based in Edinburgh, Scotland. It was founded in October 2007 by Antony Miguel and George Christelis. Requests for comment from the company went unanswered.
Sophos’ Anthony Bradshaw, manager, MDR/incident response, explained that Sophos first encountered the incident in April. “We detected some suspicious activity within that customer’s environment. During the investigation we identified that the activity was stemming from the SimpleHelp RMM client and then basically going backwards throughout the attack, we were able to put it together and identify that it was coming from the [MSP’s] SimpleHelp RMM server itself.”
Bradshaw said SimpleHelp has remediated the problem, releasing patches in January. He added that it’s likely the MSP did not deploy the patches. “From our Sophos Telemetry, reviewing the actual client, we were able to tell that the version was outdated. But since we didn’t have access to the actual Simple help server, we were not able to validate exploitation. However, we did confirm that they were on a version that was vulnerable to the vulnerabilities that we’ve seen threat actors exploit.”
Alvaka has been helping one client of a U.S.-based MSP that was impacted by the SimpleHelp breach. The client has since fired the MSP, which “was behind on their patching of their tools,” Thordarson said, adding that the number of clients impacted by that one MSP’s breach are “in the double digits.”
Advice for Protecting Yourself, Your Clients from Cyberattacks
To protect themselves and their clients, Henderson recommends that MSPs question vendors on how they secure their RMM environments. Noting that RMM tools don’t set off antivirus software because they are trusted applications, Henderson advises using EDR and MDR software. “EDR is looking for malice, regardless of the application’s trusted status by the machine. An MDR will provide 24/7 monitoring of those alerts to ensure quick response should your tools be turned against your clients,” he said.
Bradshaw added, “MSPs should be utilizing security controls such as restricting access, maybe it’s geolocation or IP-based restrictions. They should be monitoring their RMM tools, the authentication logs to ensure that they’re not seeing any type of unwanted or suspicious successful authentications that are accessing those systems because those can be an indicator that those systems have been accessed by a malicious actor.”
Thordarson has several best-practice recommendations for MSPs. “Patch your own systems. Patch your clients’ systems. Keep them up to date every month. Use multifactor authentication on everything. Make sure you have immutable backups for yourself and your clients. Segment your networks. Have a good EDR and have it monitored by a SOC or an MSSP, one that works 24 hours a day, seven days a week. So that when the EDR kicks something off you’re not just counting on the EDR to stop the threat, but you’ve got a human on it as well. Those would be my top recommendations.”
Colleen Frye, executive editor of MSP Success, contributed reporting to this story.
