- Select Your Region
- Region Name 1
- Region Name 2
- Region Name 3
- Region Name 4
- Region Name 5
Earlier today, we identified a potential Phishing Scam using what appears to be a ScreenConnect URL via a website spoofing technique. Here is a sample of the Scam email used:
If you received this or a similar email, do not click on any links in the email and delete the email immediately. We have already reported the malicious activity to the authorities.
If you have opened the email or accessed the malicious link provided, we recommend changing the credentials of any account you used or provided to the malicious site.
As always, we recommend carefully checking any URL for slight spelling errors, at this typically indicates a phishing activity. Additionally, ConnectWise will never proactively email you to initiate a password change or confirm an MFA enablement.
The ConnectWise Team
Earlier this afternoon our team was alerted of two attempted intrusions into on-prem Automate accounts via partner Admin Accounts. The accounts were not using MFA.
We strongly encourage you to update your Automate system to version 2020.1 or higher immediately. This update applies MFA to all accounts and also forces a complex password on this account. Documentation for this update is linked here and multi-factor authentication (MFA) enablement information regarding the update is below for reference. Please note that to take advantage of the complex password requirement, you will be required to change the password for all accounts after applying the update.
While Automate 2020.4 provides the latest security enhancements, if you need time to install a 2020.1 or higher update, we recommend immediate steps to assign the Admin permissions to another user who has MFA enabled and then delete the Admin account. If you need assistance in updating or reassigning admin privileges, please contact support.
The Automate Team
Multi-Factor Authentication Details:
Multi-Factor authentication (MFA) is enabled by default in versions 2020.1 and higher for users logging in with local credentials. Before upgrading to version 2020.1 or later, email settings must be configured and each user must have a unique and valid email address entered in their user profile. For more information, refer to Multi-Factor Authentication for Automate.
To prepare for this change:
- Configure Email Settings for your system. If you have not previously configured these settings because you are concerned about receiving too many notifications or are using a PSA integration, please refer to Control Ticket Messages for information on silencing notifications by turning off ticket messaging.
- Navigate to System > Users and Contacts > Users and ensure that all users in your system have a unique and valid email address entered in their user profile.
On February 4, 2020, Huntress Labs contacted our ConnectWise Control team with a potential risk involving password resets and multi-factor authentication (MFA). Within two hours, our team mitigated the issue.
This configuration was limited to the cloud.screenconnect.com logon, which is solely for admin accounts and would require the attacker to have access to the email of the partner’s admin user. In this specific case, the password reset process sends a password reset link via email to the ConnectWise Control admin user email address on record. After completing the password reset, the user was subsequently logged in. The concern was that an attacker with access to the user’s email could have potentially leveraged the password reset functionality to gain access without the MFA challenge.
Password resets now require re-authentication, including MFA, if configured, which mitigates this potential risk.
We have verified our mitigation and have asked Huntress Labs to verify as well.
For further questions or concerns, please contact Security@ConnectWise.com.
Earlier this week, a story was published about potential security vulnerabilities with ConnectWise Control. In the spirit of transparency, I wanted to provide an update on this story and outline what has been done and what our ongoing efforts are to ensure the security of our products, your business and your customers.
In late September, ConnectWise received notification from an organization that operates as a consultant in the security space, stating they had identified eight potential vulnerabilities in ConnectWise Control. While our product and security teams felt that many of these potential vulnerabilities presented a low risk of actual attack to our partners, we take security extremely seriously and investigated, resolving six of the areas of concern by Oct 2, 2019.
While the threat landscape is ever changing, we seek to constantly and proactively manage security efforts not only through the updating of our products, but through the education of our team and collaboration with third-party security experts.
As security is of critical importance to us, here are some of things we have been doing and where we are today:
• ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. We regularly conduct penetration tests performed by both internal and external resource and have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products.
• We have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, and we are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.
• In Q4 of 2019, we also invested in a comprehensive developer security training curriculum to increase the security skills of our teams and assure that our developers are training on the most recent and relevant application security coding practices.
• On January 21, 2020 we launched the ConnectWise Security Trust site, which will be a primary source of information on security incidents, relevant alerts and of course critical patches and product updates.
• We hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company, to further validate our patches and confirm that the vulnerabilities were mitigated. We have published a matrix outlining each potential vulnerability with the perspectives from Bishop Fox, Huntress Labs and GuidePoint Security, LLC, along with our stance on the issue and any action being taken.
• One of the remaining two suggested areas of remediation is Cross-site Scripting (XSS) which is the potential for abuse of the Control Administrator role’s ability to customize the application. This customization ability is a key feature of Control that many partners value. This issue is considered a low actual risk, but we will be removing the option from our trial offering.
• The final identified issue is related to Security Headers. The strongest defense involves layers of security. Security Headers represent one option for implementing certain layers. In the absence of Security Headers, ConnectWise does implement security layers addressing the types of threats reported in the consultant’s assessment.
As we continue to investigate potential vulnerabilities and implement mitigation plans, we will be posting updates to our Security Trust site. I encourage you to check this site for the latest information, as well as future updates from our work with GuidePoint Security, LLC.
In our conversations with Huntress Labs to compare our findings and their results, Kyle Hanslovan, CEO of Huntress Labs has this to share:
“Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen. We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”
I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously. You have our unrelenting commitment to security and transparency, and we appreciate your questions and feedback to our continuous improvement.
ConnectWise takes cybersecurity seriously and we realize that rumored and confirmed security incidents create stress and concern for our partners. Our partners and vendors can use Security@ConnectWise.com to report suspected security incidents related to our products or to inquire about a potential security incident that is associated with a ConnectWise product.
As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. ConnectWise regularly conducts penetration tests performed by both internal and external resources. We have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products. In addition, we have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.
Immediately after CRN published articles on January 21, 2020, about the potential vulnerabilities in ConnectWise Control, we immediately reached out to Huntress Labs to discuss their analysis and recommendations. Our conversation with Huntress Labs was collaborative and constructive, and they were receptive of our context regarding the reported issues.
We have also hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs as well as run their own independent vulnerability assessment. We look forward to sharing more information with you as we have it.
We believe that mitigating cybersecurity threats starts with understanding them. Please review the following FAQ about the security of ConnectWise Control in relation to the findings from Bishop Fox and Huntress Labs.
In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.
Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.
ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.
On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at firstname.lastname@example.org with any questions or to report any issues.
ConnectWise products are subject to multiple layers of security from design through testing and into operations. Products designs are aligned with security best-practices and undergo security testing prior to release and regularly in production. In addition, ConnectWise developers complete security training on an annual basis at a minimum.
Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019. Partners should always update their applications to stay current with new security patches and features.
In addition, Control supports multi-factor authentication on all internal users, and offers the ability to restrict or whitelist IPs, and further restrict access using user roles and permissions. Cloud instances are automatically secured with an SSL certificate and enabled with an HTTP-to-HTTPS redirect. In addition, Control admins have the option to enable ‘prompt for consent,’ which requires an end user to consent to connection.
ConnectWise is continually improving security communications. Most notably, ConnectWise has achieved SOC-2 Type 2 certification.
For this specific instance, we have hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs, as well as run their own independent vulnerability assessment.
Further information regarding the security of ConnectWise products may also be obtained here:
ConnectWise takes security very seriously. ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. ConnectWise regularly conducts penetration tests that are performed by both internal and external ethical hackers and we run vulnerability assessments on our systems and products on a consistent basis.
We encourage partners and colleagues to contact us at email@example.com with any questions or to report any issues.
Control Cloud partners are automatically updated to the latest stable version of Control. We recommend that on-premises instances remain up to date on support and maintenance.
Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019.
On-premises partners can learn more about upgrading here:
Upgrade an On-Premises Installation of ConnectWise Control >>
Cloud partners can learn more here:
Upgrade A Cloud Instance of ConnectWise Control >>
ConnectWise previously remediated most of the items suggested by Bishop Fox. Within the next two weeks we will resolve one item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
The ConnectWise Control team investigates all potential security threats, regardless of severity. Issues that are low in priority sometimes are also low in effort to remediate and, in those cases, we may quickly release a fix.
The Bishop Fox attack-chain references a theoretical cloud-based execution.
ConnectWise uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in ConnectWise offerings.
Alternative tools and processes are used, where appropriate, when targeted or discrete communication with entitled customers is required. To protect our customers, ConnectWise does not publicly disclose or confirm security vulnerabilities until ConnectWise has conducted an analysis of the product and has issued fixes and/or mitigations.
Security Bulletins notify customers about one or more vulnerabilities. These bulletins provide guidance to assist customers in assessing the impact of any actual or potential security vulnerability in the context of their environment.
Subscribing to Security Bulletins
Coming in late Q2, 2020, ConnectWise Security Bulletins will be available for subscription via an RSS feed. Please check back for live bulletins and subscribe options.
The ConnectWise platform is an integral part of your operations and is a gateway to your clients’ sensitive business-critical data. Increasing our security measures and reducing vulnerabilities across the platform is a top priority for our entire organization to gain your confidence as your trusted vendor.
Your confidence in our ability to test and maintain a secure platform is essential to our partnership with you.
ConnectWise Incident Response Team (CIRT) Overview
The ConnectWise Incident Response Team (CIRT) is a global team that manages the receipt, investigation, and internal coordination of security vulnerability information related to ConnectWise offerings. ConnectWise CIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential ConnectWise vulnerabilities. This team will coordinate with ConnectWise product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of ConnectWise offerings should continue to report all product-related issues, including potential security vulnerabilities, to ConnectWise Security. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.
ConnectWise Incident Response Team Process
When ConnectWise CIRT receives a report of a potential vulnerability from a third party, ConnectWise CIRT logs the issue with the supporting details and provides the tracking number to the vulnerability reporter. ConnectWise CIRT notifies the appropriate ConnectWise product teams of the potential vulnerability for analysis.
The appropriate product team attempts to reproduce the issue to verify whether it is a vulnerability.
After the initial analysis, the vulnerability undergoes further investigation by the product team to determine the underlying cause and possible methods of exploitation. The team completes the remediation plan for the vulnerability, taking into consideration the affected versions.
In some cases, ConnectWise CIRT may request additional information from the vulnerability reporter to understand the environment in which the vulnerability appears, ways to reproduce the issue, potential exploitation methods, etc.
Once the remediation is available, ConnectWise intends to notify the affected customers about the vulnerability through the use of either targeted communications or by issuing a public Security Bulletin. When ConnectWise discloses the vulnerability publicly, the Bulletin will include details such as the Common Vulnerability Scoring System (CVSS) base score and vector, a reference to the assigned Common Vulnerabilities and Exposures (CVE) identifier, remediation for the affected offering(s), and other relevant links that may cover additional information.
The last stage in ConnectWise CIRT process allows for ConnectWise CIRT to share findings with our Engineering team(s) to help minimize similar vulnerabilities in future ConnectWise offerings.
A security vulnerability is a set of conditions in the design, implementation, operation, or management of a product or service. Vulnerabilities render the product or service unable to prevent an attack by an internal or external party, resulting in exploitations such as controlling or disrupting operation, compromising (such as deleting, altering or extracting) data, or assuming ungranted trust or identity.
Customers and other entitled users of a product or solution should report issues discovered in ConnectWise offerings to ConnectWise Security. If the ConnectWise Technical Support Team determines that a reported issue is a security vulnerability, it will contact the appropriate Security and/or System Integrity groups and inform ConnectWise PSIRT, as needed. These ConnectWise teams will collaborate as required to address the issue.
Third party researchers and other security entities, if you find a potential security vulnerability in ConnectWise assets, products and services, you to report this to ConnectWise Security.
Q: What is a vulnerability disclosure program?
A: A vulnerability disclosure program (VDP) offers guidance for how an organization would like to be notified about potential security vulnerabilities found by external third parties and how vulnerabilities are disclosed. Often called the “see something, say something" of the Internet, this public-facing program is an industry best practice. The VDP outlines how external third parties can report potential security vulnerabilities to ConnectWise so they can be safely resolved.
Q: What is ConnectWise doing to enhance its VDP?
A: ConnectWise is continually enhancing its VDP. Later in 2020, ConnectWise will add a managed vulnerability disclosure program that connects organizations with independent cybersecurity researchers. This enhancement to the program will provide ConnectWise with an external resource to provide an initial triage to issues identified by third parties.
ConnectWise is routinely and thoroughly audited by independent third-party organizations and government agencies to ensure our products and practices comply with global and regional regulations and standards.
As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners.
The intent of the SOC 2 audit is to assess and address the risks associated with using an outsourced service like ConnectWise, allowing you, our users, to have trust and confidence in us and manage the risk associated with our products. The reports provide assurance of the design and operating effectiveness of our control environment as they are the result of comprehensive, independent audits.
The ConnectWise SOC 2 Type 2 reports cover the Security, Availability, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for ConnectWise Manage®, ConnectWise Automate®, ConnectWise Sell®, and ConnectWise Control®. The ConnectWise SOC 2 Type 2 reports cover the Security, Privacy, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for Continuum Command®, Continuum Fortify®, Continuum Recover®, Continuum Assist®, Continuum Enable®, and BrightGauge®.
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
Privacy: Information designated as confidential is protected to meet the entity’s objectives.
To request a copy of our SOC2, send email to firstname.lastname@example.org. Please indicate the relevant product(s) in your request.
You trust us with your data, and we’re committed to keeping it safe. ConnectWise adheres to strict industry privacy standards and complies with new privacy standards and mandates as they progress. We strive to be as transparent as possible with our data collection and usage practices, with a goal of providing best-in-class products, services, and web experiences for users. We understand that individual rights, requirements and policies vary significantly across the globe, as well as for various users and audience members.