“I can’t sugar coat it – this shit is bad,” said the Huntress CEO
The security experts are warning that a high-risk vulnerability in a widely used remote access tool is “trivial and annoyingly easy” to exploit, as the software’s developer confirms that malicious hackers are actively exploiting the flaw.
The maximum severity vulnerability affects ConnectWise ScreenConnect (formerly ConnectWise Control), a popular remote access software that allows managed IT providers and technicians to provide real-time remote technical support to customer systems.
The flaw is described as an authentication bypass vulnerability that could allow an attacker to remotely intercept confidential data from vulnerable servers or deploy malicious code such as malware. The vulnerability was first reported to ConnectWise on February 13 and the company publicly disclosed details of the bug in a security advisory published on February 19.
ConnectWise initially said there was no indication of a public exploit, but noted in an update Tuesday that ConnectWise confirmed it “received updates on compromised accounts that our incident response team was able to investigate and confirm.”
The company also shared three IP addresses it says were “recently used by threat actors.”
When asked by TechCrunch, ConnectWise spokeswoman Amanda Lee declined to say how many customers are affected, but noted that ConnectWise has seen “limited reports” of suspected intrusions. Lee added that 80% of customer environments are cloud-based and automatically patched within 48 hours.
When asked if ConnectWise is aware of any data breaches or has the means to detect if data has been accessed, Lee said “no data breaches have been reported to us.”
Florida-based ConnectWise provides its remote access technology to more than a million small and medium-sized businesses, its website says.
Cybersecurity firm Huntress on Wednesday published analysis of the ConnectWise vulnerability that has been actively exploited. Huntress security researcher John Hammond told TechCrunch that Huntress is aware of “current and active” exploitation and is seeing early signs that threat actors are moving to “more focused post-exploitation and persistence mechanisms.”
“We see adversaries already deploying Cobalt Strike Beacons and even installing a ScreenConnect client on the affected server itself,” Hammond said, referring to the popular Cobalt Strike exploit framework, which is used by both security researchers for testing and malicious hackers. networks. “We can expect more of these compromises in the very near future.”
Huntress CEO Kyle Hanslovan added that Huntress customer telemetry shows visibility into more than 1,600 vulnerable servers.
“I can’t sugar coat it – this shit is bad. We’re talking over ten thousand servers controlling hundreds of thousands of endpoints,” Hanslovan told TechCrunch, noting that more than 8,800 ConnectWise servers remain vulnerable to the exploit.
Hanslovan added that due to “the sheer prevalence of this software and the access afforded by these vulnerabilities, we are on the cusp of a ransomware free-for-all.”
ConnectWise has released a patch for the actively exploited vulnerability and urges ScreenConnect users to apply the patch immediately. ConnectWise also released a patch for a separate vulnerability affecting its remote desktop software. Lee told TechCrunch that the company has seen no evidence that this flaw has been exploited.
Earlier this year, US government agencies CISA and the National Security Agency warned that they observed a “broad cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” — including ConnectWise SecureConnect — to target multiple federal civilian executive departments agencies.
US agencies also noticed hackers abusing remote access software from AnyDesk, which earlier this month was forced to reset passwords and revoke certificates after finding evidence of compromised production systems.
In response to questions from TechCrunch, Eric Goldstein, CISA’s executive assistant director of cybersecurity, said: “CISA is aware of a reported vulnerability affecting ConnectWise ScreenConnect, and we are working to understand a potential exploit in order to provide the necessary guidance and assistance ».
Are you affected by the ConnectWise vulnerability? Carly Page can be reached securely on Signal on +441536 853968 or by email at carly.page@techcrunch.com. You can also contact TechCrunch via SecureDrop.
