From time to time, ConnectWise will provide communications on broader security related topics that may not be linked to a specific ConnectWise product or vulnerability, but are still of importance to our partner community.
July 16, 2021: ConnectWise Security Update: How We Secure Our Products
I specifically want to discuss four areas relevant to the Kaseya incident and the recently published guidance from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA): Mandatory MFA, Admin Access Restrictions, Web Application Firewalls (WAF) and Removing Anti-Virus Exclusions.
- Mandatory Multi-factor Authentication (MFA): Currently, all agent-based products have mandatory MFA. Several other products have MFA as a configurable option. We plan to move all products to a mandatory MFA model by the end of 2021 and will be soon rolling out resources, education, and communications to help our partners make this transition.
- Restricting Access to Admin Interfaces via IP limitations: Today, ConnectWise Control supports IP restrictions. Automate, and all other products will implement IP restrictions by the end of Q3, 2021.
- Web Application Firewall (WAF): This is under evaluation in Q3, 2021 for our various products to execute both with and without the IP limiting features.
- Removing Anti-Virus exclusions: AV exclusions for all products will be eliminated by the end of Q3, 2021.
Here are some additional practices and programs already launched:
- SOC2 Type 2 Certification: All products are SOC2 Type 2 certified and are re-certified every six months.
- Cloud Environment Monitoring: Product cloud environments are monitored 24/7 by our SOC for suspicious/malicious activity.
- Vulnerability Management: All products are subject to multiple security assessments including automated testing in the delivery pipeline, internal red-teaming, external penetration tests, and Bug Bounty.
- Malware Protection: Cloud infrastructure is protected using advanced endpoint detection and response capabilities.
- Delivery Pipeline: ConnectWise subjects its development and delivery pipeline to threat modeling to improve security against supply chain attacks.
- Disaster Recovery: Data backup and disaster recovery programs are in place across all cloud environments. Access and encryption controls are established to safeguard data back-ups. All recovery and data restoration plans are tested and updated regularly.
Cyber threats are ever present and evolving, and we are committed to not only delivering best practices within our products, but also keeping you up to date on our progress and resources. I encourage you to look at the other pages on our Trust Center for information regarding how we secure our environments, request/view our SOC2 and SOC3 reports, sign up to receive our security bulletins, and more.
As always, if you need to report an incident or vulnerability within our products, you can also do that through our Trust Center or by contacting firstname.lastname@example.org.
Thank you for your partnership.
July 15, 2021: ConnectWise to Re-enable MSPAssist Integration
As you know, we temporarily disabled integrations between Kaseya MSPAssist and ConnectWise following the recent ransomware attack on Kaseya, a number of its partners, and a large number of end clients. Shortly after the attack, Kaseya hired Mandiant, whose forensics report confirmed the attack on VSA.
On July 14, we received additional information from Kaseya allowing us to assess any residual risk in the MSPAssist environment and we have determined that we will re-enable the integration into ConnectWise Manage and Automate.
To ensure you have had time to prepare, we will re-enable this tomorrow, July 16 at 10am ET.
We understand the business impact of this disabled integration and want to assure you that our top priority is always to ensure the security of our products and systems to protect you and our partner community from cybercrime. We are pleased that we were able to successfully work together with Kaseya to keep our mutual partners safe.
As always, we urge our partners to take the following steps to manage their own risk with this and any integration:
- Assure that the credentials used for the integration are configured with the least privilege necessary to function. Do not implement with administrative level permissions. Please contact Kaseya for instructions on configuring permissions.
- Know how to disable the integration - or any integration - within your admin interface if you are still not comfortable with the integration being active.
- To disable an integration,go to System > Members > API Keys and search for API Keys of an integration you wish to disable. Then navigate to that member > API Keys and delete the API Key for that integration. This will disable all integrations using those credentials.
- It may be a good idea to also cycle all of the API Keys to ensure there are not unused Keys still active and old keys have not been shared with anyone.
Thank you for your continued partnership.
ConnectWise to Re-enable IT Glue Integrations
As you know, we temporarily disabled integrations between Kaseya and IT Glue solutions and ConnectWise following the recent ransomware attack on Kaseya, a number of its partners and a large number of end clients. Shortly after the attack, Kaseya hired Mandiant, whose forensics report confirmed the attack on VSA. Since July 2, we have been in communication with Kaseya. We let Kaseya know that once an accredited third-party confirmed the IT Glue environment was not impacted by the VSA incident, we would re-enable that integration.
On Saturday, July 10, we received the first written Mandiant report referencing the IT Glue integration. After reviewing the statement provided by Mandiant and performing our own risk assessment, we have determined that we will re-enable the IT Glue integration into ConnectWise Manage and Automate. To ensure you have had time to prepare, we will re-enable this tomorrow, Tuesday, July 13, at 10:00am ET. We are pleased that we were able to successfully work together with Kaseya and IT Glue to keep our mutual partners safe.
We understand the business impact of this disabled integration and want to assure you that our top priority is always to ensure the security of our products and systems to protect you and our partner community from cybercrime.
As always, we urge our partners to prepare for managing their own risk with this and any integration with the following:
- Assure that the credentials used for the integration are configured with the least privilege necessary to function. Do not implement with administrative level permissions. See documentation on credentials and permission levels here.
- Know how to disable this integration – or any integration – within your admin interface.
- This is useful if you are still not comfortable with the integration being active.
- Also, it is imperative to have a rapid response process in place, should there ever be an issue due to the integration. See documentation here on: Removing a PSA integration or Pausing a PSA sync.
Thank you for your continued partnership.
ConnectWise – IT Glue Integration Update
We have received some questions about when we will re-enable IT Glue/Kaseya integrations following the ransomware attack against Kaseya, which impacted some of our shared partners. Given the sophistication and scope of the attack, we temporarily disabled integrations between Kaseya platform products and ConnectWise.
We will re-enable the IT Glue integration (and others) once we officially confirm that there is no vulnerability or threat through third-party validation or through our own due diligence to confirm there is no risk to our partners as it relates to this incident. If it is confirmed that there was in fact a compromise of anything on the Kaseya or IT Glue side that integrates with ConnectWise applications, cybercriminals could, in certain situations, potentially leverage that to possibly exfiltrate data or execute code remotely. We engaged with Kaseya to ensure our concerns are not only heard but addressed, and currently the third-party validation provided confirms VSA’s exposure but did not indicate any analysis had been done for IT Glue or other Kaseya solutions. We’ve requested this from Kaseya/IT Glue and we have also offered to help fund such an audit.
We apologize for the delay, but our top priority continues to be ensuring our partners and your clients are protected. Thank you for your patience as we work through the fallout from the Kaseya attack. We will continue to provide you with regular updates. In the meantime, you can find resources here on the Trust Center and at https://www.connectwise.com/company/rapid-response.
Thank you for your partnership.
Malware Scam Campaign & Recent Kaseya VSA Ransomware Attack
Be aware that there is currently a malware scam campaign attempting to take advantage of the recent Kaseya VSA ransomware attack.
- Anyone targeted by this campaign will receive an email with an attachment named “SecurityUpdates.exe.” Under no circumstances should anyone attempt to download this file.
- The email may also contain a link pretending to be an official security update from Microsoft designed to patch the Kaseya vulnerability.
Tom Greco, Chief Information Security Office, ConnectWise
July 6, 2021: A Message from ConnectWise CISO Tom Greco
As most are now aware, a massive ransomware attack perpetrated via Kaseya VSA has impacted several Technology Service Providers (TSPs) and their clients. Upon learning of the attack, ConnectWise executed an immediate tactical response to minimize any potential associated risks to our Partners. We released a Security Advisory on our Trust Site and via email on Friday evening outlining these actions. We are continuing to monitor the situation and will provide an update if/when necessary based on the potential residual risk to Partners.
Beyond the tactical response, we understand that our Partners may have heightened concerns regarding ConnectWise security as a key vendor supporting your businesses. Further, in light of SolarWinds and this most recent incident, the possibility of supply chain attacks or exploitation of zero-day vulnerabilities is likely topping your list of concerns.
How does ConnectWise view and address these threats?
While I have outlined a few specifics on our security controls below, I also want to invite you to review our newly refreshed and redesigned Trust Center website, which will be the most current source of information about our security practices, SOC2 reports and additional security, compliance, and privacy resources. It also houses our security bulletins, which are now searchable with a variety of filtering options.
At the top level, our Information Security Program is based upon industry-accepted standards including NIST 800-171, CIS Controls, and ISO 27001.
We expend tremendous effort subjecting our controls to rigorous, independent audits every six months resulting in SOC2 Type 2 reports. These provide third-party attestations that our security controls are designed properly and are operating effectively. In addition to SOC2 certification, ConnectWise is also actively pursuing NIST 800-171 and CMMC compliance.
Additionally, our cloud environments are hosted with world-class providers who possess multiple security certifications including SOC2 Type 2. Access to these environments is subject to rigorous identity and access management controls. Multi-factor authentication is required for all access, privileged or otherwise. Use of privileged accounts is further restricted by conditional and time-bound controls.
All access is also tightly monitored 24/7, employing sophisticated contextual and behavioral methods to detect anomalies. Our SOC and incident response teams quickly triage and disposition any alerts.
To minimize service interruption, we have established data backup and disaster recovery capabilities within all cloud environments. These include multiple components to minimize the risk of any single point of failure. Access and encryption controls are established to safeguard data back-ups, and all plans are tested and updated regularly.
Our approach to vulnerability management is multi-faceted.
- We have embraced the Shift Left strategy in our SDLC to detect potential vulnerabilities as early as possible in the development/delivery pipeline.
- We have improved our secure-by-design efforts including enhanced developer training, updated application security standards, and expanded threat modeling.
- Our code is also regularly subjected to multiple internal and external penetration tests.
- To subject our code to even more scrutiny, we have implemented Bug Bounty and Vulnerability Disclosure Programs as well via HackerOne.
More specific to the supply chain threat, the SolarWinds incident prompted us to execute a threat model against our delivery pipelines in order to identify opportunities for improvement in the associated controls. Areas of focus included, but were not limited to, access and authorization (CI/CD, SCM, and developers), code commits, and configuration management.
This is not meant to be an exhaustive view of our efforts in security, but rather to provide some insight into key controls. We also published resources for MSPs and partners who may have been affected by last week’s events at www.connectwise.com/rapidresponse. The security of our partners and their clients is of critical importance to us and we invite you to contact my team at email@example.com if you have any specific questions or concerns.
Thank you for your continued partnership and stay safe.
Chief Information Security Office, ConnectWise
Information on the Kaseya VSA Ransomware Attack & What ConnectWise is Doing to Help Our Partners
As you may be aware, Kaseya VSA is experiencing a REvil ransomware attack impacting MSP customers and end customers.
If your organization utilizes Kaseya VSA, Kaseya has advised that you IMMEDIATELY shut down your VSA server until you receive further notice from them.
Actions ConnectWise is Taking to Protect Our Partners:
The security of our partners and systems is our top priority. ConnectWise’s Security Operations Center, Network Operations Center, Product and Engineering teams are actively reviewing and monitoring and have thus far found no evidence to suggest that any of our systems are involved or impacted.
Below are the following actions we are taking to ensure the security of our products and systems:
- We see no indication of similar attacks, compromises, or suspicious activity associated with ConnectWise products and services.
- We have temporarily disabled all on-prem and cloud Kaseya and IT Glue integrations into Manage as a precautionary step until more information is available. Our team will share information about re-connecting the access once the all-clear message has been released.
- Our Security Operations Center (SOC) team has and will continue to carefully monitor the situation. We have taken actions to review the available threat data contained in our SOC monitored systems looking for potentially compromised environments (Fortify Endpoint, Fortify Network, Perch and StratoZen). In addition, we have temporarily removed any exclusions related to the Kaseya agent, and blacklisted the IOCs related to what is currently known of the attack based on our work within the MSP cyber community.
- The ConnectWise Cyber Research Unit (CRU) is monitoring threat activity from obtained malware samples. We have used these samples to generate and monitor for IoCs (Indicators of Compromise) around this threat. These IoCs are being used to hunt for true positive correlations.
- CRU is actively searching for the following IoCs for partners that utilize StratoZen and Perch. Please note that there are additional IoCs that we are currently unable to share.
1. Multiple C2 domains from JSON malware configuration file which are not being shared at this time.
2. Hashes for the attack structure:
1. agent.exe: 561cffbaba71a6e8cc1cdceda990ead4 (MD5)
2. agent.exe (encrypt payload): SHA15162f14d75e96edb914d1756349d6e11583db0b0
3. mpsvc.dll(sideloaded encryption payload): SHA1 656c4d285ea518d90c1b669b79af475db31e30b1
3. Certificate Signer identity:
1. PB03 TRANSPORT LTD
4. Additional CRU malware sandbox IoCs which cannot yet be publicly shared
- ConnectWise CRU Event Notifications
- The CRU has deployed a new event notification in Perch and StratoZen to alert for any activity around known IoCs from this attack. The ConnectWise SOC is actively monitoring for this alert.
- [Windows][CRU] Kaseya Buffalo Jump File Create in "kworking" Directory
- Actions deployed in SentinelOne:
- All Kaseya exclusions removed from all production SentinelOne consoles.
- IOCs of agent.exe and mpsvc.dll blacklisted across all SentinelOne consoles.
- IOCs searched across all SentinelOne consoles historical data.
- We are working and partnering with other vendors to further assist the IT Nation community.
- ConnectWise Control will offer free temporary STANDARD support licensing available to partners affected by this incident and who do not have a current Control account. Navigate here to sign up for the free license. This will enable impacted partners to maintain connectivity with their client machines during these turbulent times.
As always, if you ever notice anything that you suspect may be malicious or fraudulent activity within our products, please report them immediately to our InfoSec team at firstname.lastname@example.org.
We will continue to provide updates and information as necessary.