Security experts are warning that a high-risk vulnerability in a widely used remote access tool is “trivial and embarrassingly easy” to exploit, as the software’s developer confirms malicious hackers are actively exploiting the flaw.
The maximum severity-rated vulnerability affects ConnectWise ScreenConnect (formerly ConnectWise Control), a popular remote access software that allows managed IT providers and technicians to provide real-time remote technical support on customer systems.
The flaw is described as an authentication bypass vulnerability that could allow an attacker to remotely steal confidential data from vulnerable servers or deploy malicious code, such as malware. The vulnerability was first reported to ConnectWise on February 13, and the company publicly disclosed details of the bug in a security advisory published on February 19.
ConnectWise initially said there was no indication of public exploitation, but noted in an update on Tuesday that ConnectWise confirmed it has “received updates of compromised accounts that our incident response team have been able to investigate and confirm.”
The company also shared three IP addresses which it says “were recently used by threat actors.”
When asked by TechCrunch, ConnectWise spokesperson Amanda Lee declined to say how many customers are affected but noted that ConnectWise has seen “limited reports” of suspected intrusions. Lee added that 80% of customer environments are cloud-based and were patched automatically within 48 hours.
When asked if ConnectWise is aware of any data exfiltration or whether it has the means to detect if any data was accessed, Lee said “there has been no data exfiltration reported to us.”
Florida-based ConnectWise provides its remote access technology to more than a million small to medium-sized businesses, its website says.
Cybersecurity company Huntress on Wednesday published an analysis of the actively exploited ConnectWise vulnerability. Huntress security researcher John Hammond told TechCrunch that Huntress is aware of “current and active” exploitation, and is seeing early signs of threat actors moving on to “more focused post-exploitation and persistence mechanisms.”
“We are seeing adversaries already deploy Cobalt Strike beacons and even install a ScreenConnect client onto the affected server itself,” said Hammond, referring to the popular exploitation framework Cobalt Strike, used both by security researchers for testing and abused by malicious hackers to break into networks. “We can expect more of these compromises in the very near future.”
Huntress CEO Kyle Hanslovan added that Huntress’ own customer telemetry shows visibility into more than 1,600 vulnerable servers.
“I can’t sugarcoat it — this shit is bad. We’re talking upwards of ten thousand servers that control hundreds of thousands of endpoints,” Hanslovan told TechCrunch, noting that upwards of 8,800 ConnectWise servers remain vulnerable to exploitation.
Hanslovan added that due to the “sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.”
ConnectWise has released a patch for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately. ConnectWise also released a fix for a separate vulnerability affecting its remote desktop software. Lee told TechCrunch that the company has seen no evidence that this flaw has been exploited.
Earlier this year, U.S. government agencies CISA and the National Security Agency warned that they had observed a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” — including ConnectWise SecureConnect — to target multiple federal civilian executive branch agencies.
The U.S. agencies also observed hackers abusing remote access software from AnyDesk, which was earlier this month forced to reset passwords and revoke certificates after finding evidence of compromised production systems.
In response to inquiries by TechCrunch, Eric Goldstein, CISA executive assistant director for cybersecurity, said: “CISA is aware of a reported vulnerability impacting ConnectWise ScreenConnect and we are working to understand potential exploitation in order to provide necessary guidance and assistance.”
Are you affected by the ConnectWise vulnerability? You can contact Carly Page securely on Signal at +441536 853968 or by email at carly.page@techcrunch.com. You can also contact TechCrunch via SecureDrop.