“We can't bring it to the surface. This is awful,” Huntress CEO said
Security experts are A high-risk vulnerability in a widely used remote access tool is “easy and embarrassingly easy” to exploit, as the software's developer confirmed that malicious hackers are actively exploiting the flaw. he warned.
This maximum severity vulnerability affects ConnectWise ScreenConnect (formerly ConnectWise Control), a popular remote access software that enables managed IT providers and technicians to provide real-time remote technical support to customer systems. give.
The flaw, described as an authentication bypass vulnerability, could allow an attacker to remotely steal sensitive data or deploy malicious code such as malware from a vulnerable server. The vulnerability was first reported to ConnectWise on February 13th, and the company detailed the bug in a security advisory published on February 19th.
ConnectWise initially said there was no indication of public exploitation, but in an update on Tuesday it said ConnectWise had “received updated information on compromised accounts that our incident response team was able to investigate and confirm.” He said he confirmed it.
The company also shared three IP addresses that it said were “recently used by threat actors.”
In response to questions from TechCrunch, ConnectWise spokesperson Amanda Lee declined to say how many customers were affected, but said ConnectWise is aware of “limited reports” of suspected intrusions. Stated. Lee added that 80% of her customer environment is cloud-based and patches were automatically applied to her within 48 hours.
When asked if ConnectWise was aware of any data breaches or had the means to detect whether data had been accessed, Lee said: “No data breaches have been reported to us.”
Florida-based ConnectWise provides its remote access technology to more than 1 million small businesses, according to its website.
Cybersecurity firm Huntress on Wednesday released an analysis of an actively exploited ConnectWise vulnerability. John Hammond, a security researcher at Huntress, told his TechCrunch that Huntress is aware of an “ongoing” exploit and that threat actors are moving toward “more focused post-exploit persistence mechanisms.” He said he is seeing early signs of a shift.
“We're already seeing attackers deploying Cobalt Strike beacons and installing the ScreenConnect client on the affected servers themselves,” Hammond said, adding that security researchers can use them for testing or for malicious purposes. He mentioned Cobalt Strike, a popular exploit framework that some hackers use to gain access. network. “We can expect to see more of these compromises in the near future.”
Huntress CEO Kyle Hanslovan added that Huntress' own customer telemetry shows visibility into more than 1,600 vulnerable servers.
“You can't sugarcoat it, this is terrible. We're talking over 10,000 servers controlling hundreds of thousands of endpoints,” Hanslovan told TechCrunch, adding that ConnectWise has more than 8,800 servers controlling hundreds of thousands of endpoints. We noted that our servers remain vulnerable to exploitation.
Hanslovan added: “Due to the prevalence of this software and the access granted by this vulnerability, we are on the brink of a free ransomware attack.”
ConnectWise has released a patch for the currently exploited vulnerability and urges on-premises ScreenConnect users to apply the fix immediately. ConnectWise also released a fix for another vulnerability affecting its remote desktop software. Lee told TechCrunch that the company has seen no evidence that the flaw has been exploited.
Earlier this year, the U.S. government agencies CISA and the National Security Agency launched a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” (ConnectWise SecureConnect) targeting multiple federal civilian executive branch agencies. including) was observed. agency.
The U.S. government agency has also observed hackers exploiting AnyDesk's remote access software, and AnyDesk earlier this month issued password resets and certificate revocations after discovering evidence that its production systems had been compromised. It was forced.
In response to a TechCrunch inquiry, Eric Goldstein, CISA Executive Assistant Director for Cybersecurity, said: “CISA is aware of reported vulnerabilities affecting ConnectWise ScreenConnect and is working to understand potential exploits in order to provide the necessary guidance and assistance.”
Are you affected by the ConnectWise vulnerability? You can contact Carly Page securely via Signal (+441536 853968) or email. carly.page@techcrunch.com. You can also contact TechCrunch. secure drop.