Advisories

What we know

Recently, our ConnectWise Information Security team has identified an increase in phishing campaigns that attempt to exploit ConnectWise ScreenConnect™ by mimicking new login alerts to deceive users into sharing their login credentials. These phishing emails are designed to appear as genuine login alerts to gain unauthorized access to legitimate ScreenConnect instances. We know email phishing attacks continue to get more sophisticated, mirroring authentic messages and web content, so we want to ensure you are informed about this threat and know how to protect your data and privacy.

A sample of this phishing email is shown in the screenshot below and contains a “click here” link to a malicious site.  

Please note, ScreenConnect does send legitimate new login alerts via email as shown in this screenshot. ConnectWise alerts do not have a “click here” link for any login notifications. If you see a link in your notification, it is not legitimate.

Our response

With the evolving sophistication of phishing attempts on the rise, a combination of awareness and vigilance is needed. We encourage you to refresh your users with some of the standard phishing attack indicators. We also recommend staying vigilant in looking for clues to avoid mistakenly clicking on nefarious content. Before clicking, make sure content reflects:

• Email domains owned by trusted sources
• Links go to places you recognize

What should you do?

If you are concerned that you may have been compromised, please follow the steps in this security alert checklist. We also recommend reviewing the ScreenConnect security guide and best practices for further securing your instance, as well as verifying that links, your account ID, and your domain are accurate.

If you have questions, suspect you received a phishing attempt, or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.

*This advisory has been updated to include the impact to ConnectWise PSA.

Security researchers opened two vulnerabilities relating to maliciously formed WebP images, which could be used to exploit browsers, as well as the libwebp library that extends to more than just browsers. The libwebp library is used by many operating systems and popular applications to render .webp images.

What we know

The vulnerability, first tracked as CVE-2023-4863, was disclosed by Google as a vulnerability affecting its Chrome browser. As researchers investigated further, it was discovered the vulnerability sourced back to the open source libwebp library, which several vendors rely on and have been releasing updates.

In connection with this, CVE-2023-5129 that was registered as a critical CVSS (Common Vulnerability Scoring System) score of 10, has been rejected or withdrawn since it is a duplicate of CVE-2023-4863. The entry for the latter has been expanded to include the impact in the libwebp library.

Our response

Our cross-functional teams immediately started conducting comprehensive assessments of all our applications and systems to identify any potential areas of risk. Additionally, we have implemented enhanced monitoring measures to actively track any changes or suspicious activities related to this vulnerability.

Remediation

All identified products have started remediation efforts or have already been performed. In some cases, they are progressing as planned. In other instances where the vulnerability exists in independent products we use, we are monitoring and discussing with vendors to see when a fix would be available to apply.

Remediation to date:

• ConnectWise ScreenConnect™ v23.7.8 has been released, which disables the use of libwebp
• ITBoost™, a ConnectWise solution, has been remediated and has been released into production
• SLI 3.0 and SLI Insights have been remediated and released into production
• Remediation efforts for ConnectWise PSA™ are ongoing. In the meantime, please consider moving to the web client instead of our thick client to reduce the risk of exposure to the vulnerability.
• BrightGauge™, SmileBack™, ConnectWise CPQ™, ConnectWise Automate™, Asio™ platform, and security services are not directly impacted with this vulnerability

While we are actively addressing this issue in our product suite, we recommend our partners take precautionary measures to enhance their security in their own environment by ensuring all their applications are up-to-date, regularly check for updates, and install them promptly.  

If you have additional questions, please contact security@connectwise.com. To report a security or privacy incident, please visit the ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.

We have been made aware of a vulnerability affecting Windows Operating Systems running the Microsoft Message Queuing (MSMQ) service, impacting on-premise ConnectWise PSA partners. PSA cloud partners remain unaffected.

This vulnerability allows adversaries to exploit TCP port 1801 within ConnectWise PSA and execute remote code without authorization. While no immediate threat has been detected, we strongly recommend you take the following actions immediately to mitigate this vulnerability:

• Follow the steps outlined in Microsoft’s Mitigations
• Update with the latest Microsoft patches
• If you are unable to update with the latest Microsoft patches, as a temporary mitigation:
• Disable the external connection for port 1801

If you have additional questions, please contact security@connectwise.com.

Researchers from ReversingLabs have identified malicious Python packages located on the popular Python package repository “Python Package Index (PyPI)” posing as a software development kit (SDK) from SentinelOne.  The package mimics the legitimate SDK that's offered by SentinelOne to its customers but adds backdoor and data exfiltration features. 

The full article that includes the writeup and IOCs ( Data exfiltration IPs and package SHA1 hashes) can be found at this link, and the ConnectWise Security Operations Team has been provided the following information from SentinelOne: 

"SentinelOne is aware of the report from Reversing Labs regarding malicious packages uploaded to the PyPi (Python Package Index) repository misrepresenting themselves as SentinelOne SDK. 

A malicious Python package was first uploaded to PyPi on Dec 11, 2022, and as of Dec 13, 2022, the package had been updated 20 times. The report advises that the package contains a malicious backdoor with a programmatic delay before activation. We have confirmed that our customers are safe and have not seen any evidence of compromised clients due to this incident. 

Packages posting as legitimate software and leveraging the PyPi repository are becoming more common and are part of a trend toward integrating threats into software supply chains and development pipelines. 

We recommend only using SDK packages provided through the SentinelOne management console. 

PyPI has removed the malicious package, and we are working to investigate further." 

As an industry best practice, ConnectWise recommends partners download content (SDKs, executables, installation packages, etc.) directly from the vendor to minimize risk and always verify script content prior to execution.  

Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition  

Vulnerability Details 
SafeBreach Labs researcher Or Yair uncovered vulnerabilities in several leading EDR and AV solutions, including SentinelOne, that allows a non-privileged user to create NTFS reparse points, which creates a path that “links” to a different path. The SentinelOne agent uses Windows functionality to get a path of a file to mitigate. A malicious actor may replace the path with a different path to a file to which it does not have privileges. This can potentially turn the agent into a malicious data wiper.  

Products Impacted  
Microsoft Windows with SentinelOne agents running all versions prior to 22.2.4.558 are vulnerable.  

SentinelOne agents are utilized in the following ConnectWise products: ConnectWise SentinelOne Control, ConnectWise SentinelOne Complete, ConnectWise MDR with SentinelOne, and ConnectWise MDR Premium with SentinelOne. 

This exploit was also tested against Defender, Defender for Endpoint, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus and was found to be vulnerable.  

Mitigation 
In order to be protected, you are required to install the latest SentinelOne policy override in version 22.2 SP1 (22.2.4.558) on your Windows agent endpoints. ConnectWise SOC teams have already updated all the ConnectWise SentinelOne EDR and MDR consoles with the 22.2.4.558 agent. 

After the updates have been deployed, please verify in the SentinelOne console if your machine has a pending reboot that needs to be actioned in case this is required to complete the installation.  

If you have any questions about the updating process, please contact our security support teams at securitypartnersupport@connectwise.com.   

We are aware of a phishing campaign that mimics ConnectWise Control New Login Alert emails and has the potential to lead to unauthorized access to legitimate Control instances. We know email phishing attacks continue to get more sophisticated, mirroring legitimate email and web content.

A sample of this phishing email is shown in the screenshot below and contains a “click here” link to a malicious site. ConnectWise has issued take-down requests for the malicious site and domains.

If you are concerned that you may have been compromised, please follow the steps in this security alert checklist. We also recommend reviewing the Control security guide and best practices for further securing your instance, as well as verifying that links, your account ID, and your domain are accurate.

Of note, Control does send legitimate New Login Alerts via email as shown in this screenshot.  The legitimate “click here” link references the aforementioned security alert checklist that exists as a knowledge base article on our site.

This is a more sophisticated attempt – some of the standard phishing attack indicators aren’t there, like misplaced graphics, or spelling inconsistencies. We encourage our partners to stay vigilant in looking for clues to avoid mistakenly clicking on nefarious content. Before clicking, make sure content reflects:

• Email domains owned by trusted sources
• Links that go to places you recognize

If you have questions, suspect you received a phishing attempt, or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.

We want to provide reminders to our partners about email security best practices.  

Phishing remains a significant attack vector fronting attack chains in some very high-profile security incidents.  As such, it is imperative that organizations implement email security controls to prevent impersonation/spoofing of their users and domains.  SPF, DKIM, and DMARC provide a layer of protection against this by working in tandem to authenticate email and helping to ensure that the sender REALLY is who they say they are.   

SPF, DKIM, and DMARC Defined   

• SPF (Sender Policy Framework) is an email validation protocol designed to detect and block email spoofing. It allows mail exchangers to verify that incoming mail from a specific domain comes from an IP Address authorized by that domain’s administrators.  
• DKIM (DomainKeys Identified Mail) utilizes cryptographic signatures by which mail service providers can verify the authenticity of the sender.  
• DMARC (Domain-based Message Authentication, Reporting & Conformance) aligns the SPF and DKIM mechanisms and allows organizations to apply policies regarding unauthorized use of email domains. 

For more information and details on how to setup/configure SPF/DKIM/DMARC, there are several good resources available including the following:   

SPF: https://www.proofpoint.com/us/threat-reference/spf 

DKIM: https://www.proofpoint.com/us/threat-reference/dkim 

DMARC: https://www.proofpoint.com/us/threat-reference/dmarc 

Security is a top priority at ConnectWise. Our primary goal is to provide robust, secure products and services to our partners. We also acknowledge that no technology is perfect, and ConnectWise believes that working with skilled security researchers and partners across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us via our Vulnerability Disclosure Program. We welcome working with you to resolve the issue promptly.  

We are proud to be part of a community that remains equally committed to secure practices. 

We apologize to our partners for the disruption in service last week pertaining to our virtual community. It is now online, and our product and other teams look forward to engaging with you.

Like many ConnectWise experiences (e.g. our University) our virtual community platform leverages SSO to authenticate users and ensure only authorized partners engage in our community. Our SSO mechanism did its job—only allowing verified ConnectWise partners to register, accept the terms and conditions and use the virtual community platform. There was no malicious attack on our SSO capabilities.

Last week, a valued partner (via our VDP and respected admins of the MSPGeek community) raised concern about information our virtual community search was displaying to registered community member partners. Directory search was working as intended in most cases, but a configuration issue was allowing non-registered partners to be returned in a search. This information included "first name", "last name", "company name" (and in some cases, "business title"). Although this information can easily be obtained via other platforms (like LinkedIn), it raised understandable partner concern.  Only 15 registered partner members conducted searches since the community launch, and while we were unable to validate the results of their searches due to a limitation in our vendor’s API, we do know that only 18 non-registered partners "profiles" were viewed by registered partner members as a result of those searches.

We remediated this issue within hours but took the site down pending a full review in accordance with our InfoSec policy. No malicious activity was discovered, no data was lost, and this triggered no data privacy actions in the jurisdictions involved.

Although a common community feature, partners also expressed concern that a registered partner community member could conduct a search by "company name". We understand it is important for partner employees (registered users) to determine how much or how little information is shared with others in the virtual community. Here’s what we did:

• We reconfigured the virtual community to—after authentication—consume only basic information about registered users of the virtual community who accept the terms of service.
• Default settings now limit directory search fields to first name and last name.
• Member directory is “on” for registered partner member viewing to help deliver the experience TSPs expect when joining a virtual community. However, we have set default privacy settings for all registered members such that only their first name, last name (and profile photo where uploaded) will display when being searched for by members who aren’t their approved contacts.
• Registered members may proactively change the privacy settings associated with their user profile to control the level of information that is shared with approved contacts or other members. Partners can find more information about privacy settings in the Virtual Community FAQs.

As a courtesy, we are notifying the 18 individuals mentioned above and are reaching out to the 15 partners who conducted searches to gain their assurance this information will not be used beyond community networking.

Finally, we know it is important to you to hear what we learned from this. Our beta testing (both internal and with partners) in the 30 days prior did not expose this configuration issue. This taught us about extra measures we can and will take in the future; and we have immediately implemented additional multi-layered testing and QC mechanisms to our processes.  

Transparency on all sides benefits our community. We want to thank the partner who reported this, and the partners who collaborated with us on this issue. If you have additional questions about this matter, please contact security@connectwise.com.