Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ConnectWise. Show all posts

ConnectWise ScreenConnect Vulnerability: Navigating the Breach Risk

 

ConnectWise ScreenConnect, a widely-used remote access software, is facing a critical vulnerability that could expose sensitive data and allow the deployment of malicious code. Described as an authentication bypass flaw, the severity-rated vulnerability poses a significant risk to more than a million small to medium-sized businesses that rely on ConnectWise's remote access technology. 

The flaw was initially reported to ConnectWise on February 13, with the company publicly disclosing details on February 19. The vulnerability enables attackers to bypass authentication, potentially leading to the remote theft of confidential data or the injection of malware into vulnerable servers. While ConnectWise initially stated there was no indication of public exploitation, recent updates confirm compromised accounts and active exploitation. 

ConnectWise has not disclosed the exact number of affected customers, but it has seen "limited reports" of suspected intrusions. Approximately 80% of customer environments are cloud-based and were automatically patched within 48 hours. However, concerns persist, with cybersecurity firm Huntress reporting active exploitation and signs of threat actors moving towards more targeted post-exploitation and persistence mechanisms. 

ConnectWise spokesperson Amanda Lee declined to comment on the number of affected customers but emphasized that there has been no reported data exfiltration. However, the situation is serious, with cybersecurity experts warning of potential widespread ransomware attacks given the extensive reach of ConnectWise's software. Florida-based ConnectWise provides remote access technology to more than a million small to medium-sized businesses. 

The vulnerability, actively exploited by threat actors, poses a significant risk to the security of these businesses. Cybersecurity company Huntress reported early signs of threat actors deploying Cobalt Strike beacons and installing a ScreenConnect client onto affected servers. ConnectWise has released patches for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately. 

Additionally, the company has addressed another vulnerability affecting its remote desktop software, for which there is no evidence of exploitation. The incident comes in the wake of warnings from U.S. government agencies. These agencies observed a "widespread cyber campaign" involving the malicious use of legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect. 

The current vulnerability adds to concerns about the security of remote access solutions, following recent incidents involving AnyDesk, which had to reset passwords and revoke certificates due to evidence of compromised production systems. ConnectWise is actively working to address the vulnerability, but the situation remains critical. 

The potential for a large-scale ransomware free-for-all underscores the importance of swift action and heightened cybersecurity measures to protect businesses from the evolving threat landscape. Businesses relying on remote access solutions must prioritize security to mitigate the risks associated with vulnerabilities in widely-used software platforms.

The RCE Vulnerability in ConnectWise Has Been Resolved

 


As part of the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions, ConnectWise has released security updates that address a critical vulnerability within those products. 

In an advisory published by the company today, the company describes the security flaw as being due to an injection vulnerability. This occurs when special elements in output are not adequately neutralized before entering a downstream component. 

Among the affected software, versions are ConnectWise Recover, earlier versions of the product, and R1Soft SBM versions 6.16.3 and earlier versions. 

Several security researchers have reported that this is a critical vulnerability that could expose confidential information or allow attackers to execute code remotely using the vulnerability.

Additionally, it categorized this as a high-priority issue, meaning that it may be exploited in attacks or at a high risk of being targeted in the wild if it is not addressed immediately. 

In a report released by Huntress Labs CEO Kyle Hanslovan, security researchers have discovered, rediscovered, and expanded on the vulnerability discovered by Code White security researcher Florian Hauser. According to Huntress Labs CEO Kyle Hanslovan, the vulnerability can be exploited to spread ransomware to thousands of R1Soft servers exposed to the Internet. This is done via R1Soft servers exposed to the Internet. 

Approximately 4,800 R1Soft servers that are exposed to the Internet may be vulnerable to attacks as a result of this RCE bug. According to a Shodan scan, these servers may not be patched since ConnectWise has released patches for this issue. 

There have been automatic updates applied to ConnectWise Recover SBMs that have been impacted by the vulnerability (v2.9.9), ConnectWise announced. 

It should be noted that Cryptree users are being advised to upgrade their R1Soft backup manager to the latest release, SBM v6.16.4, released on October 28, 2022, by following the steps detailed in the R1Soft upgrade wiki.

As part of the company's recommendation, all R1Soft backup servers that are impacted should be patched as soon as possible. 

Even though patching critical vulnerabilities is always something that cybersecurity professionals are strongly encouraged to do, they do not think it is wise to do it on a Friday evening, as it can be a potentially disastrous timing decision. 

As a result, all Internet-exposed servers such as websites will be compromised to the fullest extent by malicious actors as soon as they discover a vulnerability. 

There is also a tendency for hackers to be especially active on weekends since most IT teams and security teams are away from their computers during these busy times. 

As a result of an end-of-the-week release, it is also more difficult to patch any vulnerable servers before the weekend, potentially exposing more systems for a few days to attack, especially if the release takes place along with a holiday weekend. 

There is a concern that not patching the R1Soft SBM backup solution quickly may lead to a significant security incident. This is because the R1Soft SBM backup solution is a popular tool among managed service providers and cloud hosting providers.