-
MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
-
SASEZero trust secure access for users, locations, and devices
-
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
ConnectWise Security: Public Service Announcement
10/31/2020
Vulnerability Details:
In light of the upcoming elections and recent cyber-attacks on health care systems, there have been reported increases in cyber-attacks on MSPs with attackers seeking to obtain MSP credentials to ConnectWise and competitive products by exploiting weaknesses in MSP’s security protocols and infrastructures.
We are aware of active threats using attack methods to compromise credentials and, as always, the safety and security of our partners is of the highest priority. We are issuing this public service announcement to encourage our partners, and all MSPs in our industry, to review their systems for the following to best ensure the security of their data and the data of their end customers:
General Security Best Practices
• Review the running processes on all Domain Controllers to ensure that no unexpected processes are running. Attackers are using PowerShell scripts on Domain Controllers with the flag "--hidden" in order to avoid detection by the MSP.
• Enable two-factor authentication (2FA/MFA) on all accounts to include email accounts.
• Check for the presence of the tools Cobalt Strike and Mimikatz. These tools are being utilized by ransomware actors to harvest credentials and gain a persistence on a network.
• If unusual PowerShell activity has been observed or unexpected tools installed, it is critical that all user passwords are reset after the successful removal of the tools.
• If possible, block all traffic to pastebin.com as it is a known site for malware.
Select Security Best Practices & Tips for ConnectWise Products
• In addition to MFA, we recommend restricting access to admin pages by IP, employing complex passwords and changing them regularly, and conducting regular account audits.
• Block access to RDP and similar remote access services from the Internet.
• For our ConnectWise Control partners, regularly audit the Toolbox directory to ensure there are no unexpected files within "C:\Program Files (x86)\ScreenConnect\App_Data\Toolbox".
For more tips and specific guidance on Security practices for MSPs, please visit the Security Journey on the ConnectWise University
We strongly encourage our partners and all MSP’s to review their security measures and implement the suggestions above. We also suggest that you regularly visit our Trust Site for more information and the latest updates to regularly stay current on the latest MSP security information.
Thank you for your time and attention to this important matter.
Stay safe,
ConnectWise InfoSec Team