From time to time, ConnectWise will provide communications on broader security related topics that may not be linked to a specific ConnectWise product or vulnerability, but are still of importance to our partner community.
Important Microsoft Exchange Server vulnerability Patches Available
Microsoft has released critical patches for Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group. The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. If you’re hosting an Exchange server, we recommend applying patches immediately for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 & CVE-2021-27065.
Background on this vulnerability and more detailed information on can be found on our Perch blog: Perch bulletin: Critical zero-day Microsoft Exchange vulnerability observed in the wild.
ConnectWise SOC PSA: Fortinet FortiOS Vulnerability
Active exploits connected to a critical vulnerability present in Fortinet's operating system, FortiOS, have been observed by the ConnectWise SOC. ConnectWise is issuing this Public Service Announcement encouraging all Partners and their clients to review any FortiGate Firewalls they may be using to ensure they are fully patched against CVE-2018-13379. This vulnerability can be exploited to allow an unauthenticated attacker to obtain the contents of FortiOS system files through a specifically crafted HTTP request.
Attackers are leveraging this to access the /dev/cmdb/sslvpn_websession file resulting in exposure of plaintext credentials for any logged in SSL VPN users. In combination with the common usage of ADsync and credential re-use, exploitation of this presents a serious risk of domain credential compromise, email compromise, as well as at minimum a direct path into a clients’ network via the SSL VPN.
In addition to patching, ConnectWise recommends full domain and email credential resets for any potentially affected client domains.
ConnectWise is actively reaching out to our partners that may be impacted by a recent exploitation of a Fortinet vulnerability. This is not related in any way to ConnectWise products or services.
ConnectWise Control & Iranian hacker activity
ConnectWise Control has not been hacked or compromised in any way. An Iranian hacker group, disguising their origin by routing through US/UK/EU IP addresses, obtained instances of ConnectWise Control (formerly ScreenConnect) and used it along with trojan files containing the agent installer to compromise other organizations. Two prominent security research firms have reported this to us independently and we corroborated their findings.
The hacker group compromised the victim organizations using email phishing campaigns resulting in the installation of the ConnectWise Control agent. Subsequently, they used Control's intended functionality to execute commands on the victim’s systems.
ConnectWise takes the abuse of its products and services seriously. While we strive to follow industry best practices, detecting all instances of abuse is a continuing challenge for all in our industry.
Security Advisory - SolarWinds & FireEye
As you’ve likely seen reported, SolarWinds discovered a supply chain attack compromising their Orion business software updates that distributed malware known as SUNBURST. The malware permits an attacker to gain access to network traffic management systems, and the attacker can leverage this to gain elevated credentials. This compromise was used to target the cybersecurity firm FireEye, as well as multiple U.S. government agencies. For more information on the details of the breach, please see the advisory from the Cybersecurity & Infrastructure Security Agency.
ConnectWise Actions for our Product Security
ConnectWise does not use any SolarWinds or FireEye products internally. However, we are following the developments of this news closely and ensuring that we validate our processes and environment as new information becomes publicly available.
The security of our products, our partners, and our partner data is of critical importance, and while we have no evidence to suggest that any of our systems are involved or impacted, below are the following actions we are proactively taking while this cyber event unfolds:
• Our Security Operations Center (SOC) will continue to carefully monitor the situation. Regarding the SUNBURST malware, the SOC has taken actions to blacklist the known IOCs related to the compromised files globally on our SentinelOne consoles.
• Although ConnectWise is not affected by this event, we are considering the impacts to develop our own lessons learned and use it as an opportunity to seek improvements in our processes and controls.
Recommendations for Partners
If your organization utilizes SolarWinds, be sure to stay current on the recommendations and hotfixes from SolarWinds directly. Review their Security Advisory page for updated information fixes.
As always, if you ever see anything that you suspect may be malicious or fraudulent activity within our products, please report them immediately to our InfoSec team at firstname.lastname@example.org.
We will continue to provide updates and information as necessary, and we encourage you to visit and bookmark our Security Trust page for ongoing updates and information as it relates to ConnectWise security.
The ConnectWise InfoSec Team
ConnectWise Security: Public Service Announcement
In light of the upcoming elections and recent cyber-attacks on health care systems, there have been reported increases in cyber-attacks on MSPs with attackers seeking to obtain MSP credentials to ConnectWise and competitive products by exploiting weaknesses in MSP’s security protocols and infrastructures.
We are aware of active threats using attack methods to compromise credentials and, as always, the safety and security of our partners is of the highest priority. We are issuing this public service announcement to encourage our partners, and all MSPs in our industry, to review their systems for the following to best ensure the security of their data and the data of their end customers:
General Security Best Practices
• Review the running processes on all Domain Controllers to ensure that no unexpected processes are running. Attackers are using PowerShell scripts on Domain Controllers with the flag "--hidden" in order to avoid detection by the MSP.
• Enable two-factor authentication (2FA/MFA) on all accounts to include email accounts.
• Check for the presence of the tools Cobalt Strike and Mimikatz. These tools are being utilized by ransomware actors to harvest credentials and gain a persistence on a network.
• If unusual PowerShell activity has been observed or unexpected tools installed, it is critical that all user passwords are reset after the successful removal of the tools.
• If possible, block all traffic to pastebin.com as it is a known site for malware.
Select Security Best Practices & Tips for ConnectWise Products
• In addition to MFA, we recommend restricting access to admin pages by IP, employing complex passwords and changing them regularly, and conducting regular account audits.
• Block access to RDP and similar remote access services from the Internet.
• For our ConnectWise Control partners, regularly audit the Toolbox directory to ensure there are no unexpected files within "C:\Program Files (x86)\ScreenConnect\App_Data\Toolbox".
For more tips and specific guidance on Security practices for MSPs, please visit the Security Journey on the ConnectWise University
We strongly encourage our partners and all MSP’s to review their security measures and implement the suggestions above. We also suggest that you regularly visit our Trust Site for more information and the latest updates to regularly stay current on the latest MSP security information.
Thank you for your time and attention to this important matter.
ConnectWise InfoSec Team
Update on the ConnectWise Automate API Vulnerability Email Communication from June 22, 2020
The security of our partners is of paramount importance to ConnectWise, and consistent with the terms of our EULA, we always are looking for anomalies on how our products are working to not only improve functionality but also assess for potential malicious activity. Following the Automate vulnerability identified and hotfix implemented last week, ConnectWise was working with a few partners and identified some non-functioning agents on their Automate servers. Non-functioning agents are usually benign but we thought it best to assess the full scope of the issue and inform impacted partners so they could take action as they see fit.
Update on the ConnectWise Manage Customer and Admin Portals:
We have issued security bulletins on the ConnectWise Manage Customer and Admin portals. Please review the security bulletin tab.
Manage Customer and Admin Portals
Trusted advisors in our community have responsibly disclosed a potential issue involving the Manage Customer and Admin Portals. Out of an abundance of caution, we have placed both portals under maintenance while we address these reports and will follow with a Security Bulletin.
Regarding the current impact to our partners, please note that the Customer Portal is still accessible to those using an external validation application such as Google or Microsoft login. We anticipate an update by mid-day, Eastern time, on Monday, June 22.
Information Security Director
Security Updates for ConnectWise Control and ConnectWise Automate
Earlier today, we identified a potential Phishing Scam using what appears to be a ScreenConnect URL via a website spoofing technique.
If you received this or a similar email, do not click on any links in the email and delete the email immediately. We have already reported the malicious activity to the authorities.
If you have opened the email or accessed the malicious link provided, we recommend changing the credentials of any account you used or provided to the malicious site.
As always, we recommend carefully checking any URL for slight spelling errors, at this typically indicates a phishing activity. Additionally, ConnectWise will never proactively email you to initiate a password change or confirm an MFA enablement.
The ConnectWise Team
Earlier this afternoon our team was alerted of two attempted intrusions into on-prem Automate accounts via partner Admin Accounts. The accounts were not using MFA.
We strongly encourage you to update your Automate system to version 2020.1 or higher immediately. This update applies MFA to all accounts and also forces a complex password on this account. Documentation for this update is linked here and multi-factor authentication (MFA) enablement information regarding the update is below for reference. Please note that to take advantage of the complex password requirement, you will be required to change the password for all accounts after applying the update.
While Automate 2020.4 provides the latest security enhancements, if you need time to install a 2020.1 or higher update, we recommend immediate steps to assign the Admin permissions to another user who has MFA enabled and then delete the Admin account. If you need assistance in updating or reassigning admin privileges, please contact support.
The Automate Team
Multi-Factor Authentication Details:
Multi-Factor authentication (MFA) is enabled by default in versions 2020.1 and higher for users logging in with local credentials. Before upgrading to version 2020.1 or later, email settings must be configured and each user must have a unique and valid email address entered in their user profile. For more information, refer to Multi-Factor Authentication for Automate.
To prepare for this change:
- Configure Email Settings for your system. If you have not previously configured these settings because you are concerned about receiving too many notifications or are using a PSA integration, please refer to Control Ticket Messages for information on silencing notifications by turning off ticket messaging.
- Navigate to System > Users and Contacts > Users and ensure that all users in your system have a unique and valid email address entered in their user profile.
ConnectWise Control's Cloud Password Reset / MFA Risk has been Mitigated
On February 4, 2020, Huntress Labs contacted our ConnectWise Control team with a potential risk involving password resets and multi-factor authentication (MFA). Within two hours, our team mitigated the issue.
This configuration was limited to the cloud.screenconnect.com logon, which is solely for admin accounts and would require the attacker to have access to the email of the partner’s admin user. In this specific case, the password reset process sends a password reset link via email to the ConnectWise Control admin user email address on record. After completing the password reset, the user was subsequently logged in. The concern was that an attacker with access to the user’s email could have potentially leveraged the password reset functionality to gain access without the MFA challenge.
Password resets now require re-authentication, including MFA, if configured, which mitigates this potential risk.
We have verified our mitigation and have asked Huntress Labs to verify as well.
For further questions or concerns, please contact Security@ConnectWise.com.
An Open Letter From Jason Magee Regarding The Bishop Fox Report Findings
Earlier this week, a story was published about potential security vulnerabilities with ConnectWise Control. In the spirit of transparency, I wanted to provide an update on this story and outline what has been done and what our ongoing efforts are to ensure the security of our products, your business and your customers.
In late September, ConnectWise received notification from an organization that operates as a consultant in the security space, stating they had identified eight potential vulnerabilities in ConnectWise Control. While our product and security teams felt that many of these potential vulnerabilities presented a low risk of actual attack to our partners, we take security extremely seriously and investigated, resolving six of the areas of concern by Oct 2, 2019.
While the threat landscape is ever changing, we seek to constantly and proactively manage security efforts not only through the updating of our products, but through the education of our team and collaboration with third-party security experts.
As security is of critical importance to us, here are some of things we have been doing and where we are today:
• ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. We regularly conduct penetration tests performed by both internal and external resource and have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products.
• We have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, and we are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.
• In Q4 of 2019, we also invested in a comprehensive developer security training curriculum to increase the security skills of our teams and assure that our developers are training on the most recent and relevant application security coding practices.
• On January 21, 2020 we launched the ConnectWise Security Trust site, which will be a primary source of information on security incidents, relevant alerts and of course critical patches and product updates.
• We hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company, to further validate our patches and confirm that the vulnerabilities were mitigated. We have published a matrix outlining each potential vulnerability with the perspectives from Bishop Fox, Huntress Labs and GuidePoint Security, LLC, along with our stance on the issue and any action being taken.
• One of the remaining two suggested areas of remediation is Cross-site Scripting (XSS) which is the potential for abuse of the Control Administrator role’s ability to customize the application. This customization ability is a key feature of Control that many partners value. This issue is considered a low actual risk, but we will be removing the option from our trial offering.
• The final identified issue is related to Security Headers. The strongest defense involves layers of security. Security Headers represent one option for implementing certain layers. In the absence of Security Headers, ConnectWise does implement security layers addressing the types of threats reported in the consultant’s assessment.
As we continue to investigate potential vulnerabilities and implement mitigation plans, we will be posting updates to our Security Trust site. I encourage you to check this site for the latest information, as well as future updates from our work with GuidePoint Security, LLC.
In our conversations with Huntress Labs to compare our findings and their results, Kyle Hanslovan, CEO of Huntress Labs has this to share:
“Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen. We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”
I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously. You have our unrelenting commitment to security and transparency, and we appreciate your questions and feedback to our continuous improvement.
Updated Statement Regarding The Bishop Fox Report Findings
ConnectWise takes cybersecurity seriously and we realize that rumored and confirmed security incidents create stress and concern for our partners. Our partners and vendors can use Security@ConnectWise.com to report suspected security incidents related to our products or to inquire about a potential security incident that is associated with a ConnectWise product.
As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. ConnectWise regularly conducts penetration tests performed by both internal and external resources. We have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products. In addition, we have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.
Immediately after CRN published articles on January 21, 2020, about the potential vulnerabilities in ConnectWise Control, we immediately reached out to Huntress Labs to discuss their analysis and recommendations. Our conversation with Huntress Labs was collaborative and constructive, and they were receptive of our context regarding the reported issues.
We have also hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs as well as run their own independent vulnerability assessment. We look forward to sharing more information with you as we have it.
We believe that mitigating cybersecurity threats starts with understanding them. Please review the following FAQ about the security of ConnectWise Control in relation to the findings from Bishop Fox and Huntress Labs.
Original Statement Regarding The Bishop Fox Report Findings
In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.
Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.
ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.
On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at email@example.com with any questions or to report any issues.