Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RMM Software. Show all posts

ConnectWise ScreenConnect Vulnerability: Navigating the Breach Risk

 

ConnectWise ScreenConnect, a widely-used remote access software, is facing a critical vulnerability that could expose sensitive data and allow the deployment of malicious code. Described as an authentication bypass flaw, the severity-rated vulnerability poses a significant risk to more than a million small to medium-sized businesses that rely on ConnectWise's remote access technology. 

The flaw was initially reported to ConnectWise on February 13, with the company publicly disclosing details on February 19. The vulnerability enables attackers to bypass authentication, potentially leading to the remote theft of confidential data or the injection of malware into vulnerable servers. While ConnectWise initially stated there was no indication of public exploitation, recent updates confirm compromised accounts and active exploitation. 

ConnectWise has not disclosed the exact number of affected customers, but it has seen "limited reports" of suspected intrusions. Approximately 80% of customer environments are cloud-based and were automatically patched within 48 hours. However, concerns persist, with cybersecurity firm Huntress reporting active exploitation and signs of threat actors moving towards more targeted post-exploitation and persistence mechanisms. 

ConnectWise spokesperson Amanda Lee declined to comment on the number of affected customers but emphasized that there has been no reported data exfiltration. However, the situation is serious, with cybersecurity experts warning of potential widespread ransomware attacks given the extensive reach of ConnectWise's software. Florida-based ConnectWise provides remote access technology to more than a million small to medium-sized businesses. 

The vulnerability, actively exploited by threat actors, poses a significant risk to the security of these businesses. Cybersecurity company Huntress reported early signs of threat actors deploying Cobalt Strike beacons and installing a ScreenConnect client onto affected servers. ConnectWise has released patches for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately. 

Additionally, the company has addressed another vulnerability affecting its remote desktop software, for which there is no evidence of exploitation. The incident comes in the wake of warnings from U.S. government agencies. These agencies observed a "widespread cyber campaign" involving the malicious use of legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect. 

The current vulnerability adds to concerns about the security of remote access solutions, following recent incidents involving AnyDesk, which had to reset passwords and revoke certificates due to evidence of compromised production systems. ConnectWise is actively working to address the vulnerability, but the situation remains critical. 

The potential for a large-scale ransomware free-for-all underscores the importance of swift action and heightened cybersecurity measures to protect businesses from the evolving threat landscape. Businesses relying on remote access solutions must prioritize security to mitigate the risks associated with vulnerabilities in widely-used software platforms.

SMBs Witness Surge in ‘Malware Free’ Attacks


According to the first-ever SMB Threat Report from Huntress, a company that offers security platforms and services to SMBs and managed service providers (MSPs), the most common threats that small and medium businesses (SMBs) faced in Q3 2023 were "malware free" attacks, attackers' growing reliance on legitimate tools and scripting frameworks, and BEC scams.

“Malware Free” Attacks on the Rise

In 44% of cyberattack incidents, attackers tend to deploy malware. However, in the remaining 56% of events, scripting frameworks (like PowerShell) and remote monitoring and management (RMM) software were used along with "living off the land" binaries (LOLBins).

The increased use of RMM software has turned out to be a concerning trend that is challenging to reverse.

“At the SMB level, LOLBin use is especially concerning given the state of monitoring and review for many organizations. Many critical entities—from local school districts to medical offices—may find themselves at best leveraged for cryptomining or botnet purposes, and at worst, the victims of disruptive ransomware,” the researchers noted.

The researchers notes that in over 65% of security incidents, threat actors utilize RMM software as their methods for persistence or remote access mechanisms following the initial access to the victim user's system.

Since RMM tools are largely used as legitimate software, in case they are used for any intrusion purpose, they can readily evade anti-malware security and blend in with the environment when employed for infiltration purposes. Additionally, few small businesses audit the use of RMM tools.

“In some cases, Huntress has observed adversaries diversifying among several RMM tools, such as using a combination of commercial and open-source items, to ensure redundant access to victim environments,” the researchers noted. “Therefore, monitoring RMM tool use and deployment within defended or managed environments is an increasingly important security hygiene measure to ensure owners and operators can identify potential malicious installations.”

Additional Findings

Affiliates of ransomware and operators of business email compromise (BEC) persist in their targeting of end users through the use of phishing.

Notably, malicious forwarding or other inbox rules were engaged in 64% of identity-focused assaults that SMBs faced in Q3 2023, while logins from strange or suspect places were linked to 24% of these attacks.

“While the ultimate goal of such activity remains, in most cases, BEC, defensive visibility and adversary kill-chain dependencies mean these actions are largely caught at the account takeover (ATO) phase of operations,” the experts concluded.

In 2023, Qakbot-related cybersecurity incidents have declined, with this downward trend anticipated to continue.

The findings further note that 60% of ransomware incidents were caused by uncategorized, unknown or "defunct" ransomware strains. This demonstrates a variation in the kind of ransomware frequently observed in corporate settings, where "known-variant ransomware deployments" are the primary target.

“Whether for monetization purposes through ransomware or BEC, or potentially even state-directed espionage activity, SMBs remain at risk from a variety of entities,” the researchers added. 

The researchers further raised concerns towards the adversaries that are exploiting the gaps in  users’ visibility and awareness over evading security controls. While spam filtering and a solid anti-malware program used to be enough for a small business to "get by," the current threat landscape makes these straightforward efforts inadequate.


Hackers Exploit Action1 RMM in Ransomware Attacks

 

Remote Monitoring and Management (RMM) tools are an essential part of IT management, allowing businesses to remotely monitor and manage their IT systems. However, recent reports indicate that hackers increasingly target RMM tools to launch ransomware attacks against businesses.

One RMM tool specifically targeted is Action1, a cloud-based endpoint management platform. Hackers have been exploiting vulnerabilities in the platform to gain unauthorized access to systems and launch ransomware attacks.

According to a tweet by Kostas Tsartsaris, an information security researcher, attackers have been abusing Action1 RMM to deploy Cobalt Strike and other malicious payloads. Cobalt Strike is a powerful penetration testing tool that has been repurposed by hackers for use in ransomware attacks.

Businesses can turn to Digital Forensics and Incident Response (DFIR) services to prevent and respond to such attacks. These services allow businesses to quickly identify and respond to cybersecurity incidents, including ransomware attacks.

In response to the rising threat of ransomware, Action1 has unveiled an AI-based threat-hunting solution. This solution uses machine learning algorithms to detect and respond to potential security threats in real-time.

While RMM tools are essential for IT management, businesses must be aware of the potential security risks associated with them. By implementing robust security measures, such as DFIR services and AI-based threat hunting solutions, businesses can help to protect their systems and data from ransomware attacks and other cyber security threats.

It is important for businesses to remain vigilant and proactive in their approach to cyber security. By staying up-to-date with the latest security trends and implementing best practices, businesses can help to mitigate the risks of cyber-attacks and protect their valuable data.

Using Legitimate Remote Management Systems, Hackers Infiltrate Federal Agencies

 


Last summer, several Federal Civilian Executive Branch (FCEB) agencies were breached across several states of the US through a clever hacking operation that employed two off-the-shelf remote monitoring and management systems (RMMs). 

A joint advisory was released on Jan. 25, 2013, by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC). This joint advisory shed light on the attacks in detail. It also warned the cybersecurity community of the misuse of commercial RMM software. It also provided mitigation strategies as well as indicators of potential compromise. 

To monitor and manage client networks and endpoints remotely, IT service providers use Remote Monitoring and Management tools (RMMs). According to the US government, hackers can bypass typical software control policies on victim computers using the same software to evade authorization requirements. 

Hackers Used RMMs to Breach the Government's Security 

As part of its retrospective analysis of Einstein, a system CISA deploys across its FCEB agencies that detects intrusions, CISA conducted this scenario last October. There may have been more to the research than the researchers had expected. 

There was a phishing email sent to the government email address of an employee of FCEB in mid-June last year by hackers. The email provided a phone number that needed to be called in response to the email. They were instructed to visit the website www.myhelpcare.online when calling the number, it prompted them to visit a malicious website. 

By visiting this domain, an executable was downloaded, which was then used to connect to a second domain through Internet Protocol (IP), where two Remote Management Managers (RMMs) - AnyDesk and ScreenConnect (now ConnectWise Control) - got involved. In the case of the second domain, NoneDesk and ScreenConnect were not installed on the target computer. 

Compared to the number of standalone programs that were downloaded, a much higher proportion were downloaded as self-contained, portable executables which were configured to connect back to the servers of the threat actors, rather than downloadable as standalone files. 

Why is this significant? What are the implications of this? It is pertinent to note that the authoring organizations have explained that portable executables do not require administrator privileges, so they can be used in settings where a risk management control may be in place to audit or block the installation of an unapproved program on a network even if the program has not been approved by the corporate IT department. 

By taking advantage of the compromised software controls and admin privileges, the threat actors would have a chance to take advantage of other vulnerable machines within the local intranet or use the executable to establish long-term persistent access as a local user service. 

The June compromise, however, appears to have just been the tip of the iceberg when it comes to issues of the future. There was further analysis of the traffic between a different FCEB network, "my help is .cc," and a similar domain - "my help is cc," which three months later led to another FCEB network being observed and the authors recall that further analysis revealed related activity involving other FCEB networks as well. 

There is no doubt that the attackers were motivated financially, although they targeted government employees. Using RMM software, the attackers connected to targets' computers and enticed victims to log into their bank accounts to monitor their balances. The authors exploited their access to modify the summaries of the recipient's bank accounts through RMM software. The actors then instructed the recipient to 'refund' this excess amount to the scam operator by returning it to the bank account summary. This showed that the recipient had mistakenly refunded an excess amount of money.