AWS-EU-0321

March 21, 2024 Unauthenticated access to legacy AWS server located in the EU region

We want to notify you of a security incident that we are currently investigating. Our team was notified by a security researcher of a vulnerability to a single AWS server in our EU environment. This server hosts a legacy service that we had targeted for deprecation. While our investigation is ongoing, we wanted to inform you of the potential risk associated with this incident.

Incident details

Date and time: The vulnerability was initially reported on March 17. On March 18, we mitigated the vulnerability and subsequently, on March 20, we discovered there was unauthorized access to the AWS server.

Nature of access: The access appears to be unauthenticated, indicating a potential security breach.

Server location: The compromised single server is a legacy system in the AWS EU region.

Data at risk: Preliminary investigations suggest that the information viewable to an unauthorized party would be limited to the email addresses for a subset of individuals who had authenticated into the EU environment.

Actions taken

Immediate response: Upon detection, our security team initiated immediate response protocols to contain the incident and mitigate any further potential risks.

Investigation: Our InfoSec team, working alongside an external forensics firm, have launched a thorough investigation into the incident to ascertain the extent of the unauthorized access and any potential malicious activity.

Potential impact

We are treating this incident seriously and are thoroughly investigating with our InfoSec team as well as an independent external forensics firm. We believe that there was a finite amount of information available to be viewed by an unauthorized party (e.g., email address) and that an unauthorized party would not be able to expand access beyond the single AWS server.

The service in question is consumed by our legacy Continuum environments, however this issue is constrained to our EU implementation only. This service is not consumed by any of the other product lines such as PSA or Automate. 

Throughout the day on March 21, the teams are running additional scans and tests and partners may experience some intermittent slowness or authentication issues during those times. We will do our best to limit the partner impact.

Next steps

We will continue to share updates on the progress of our investigation and communicate directly to the small number of partners in the EU who may have been impacted.

Support

If you need any assistance or have additional questions, please go online to ConnectWise Home and open a case with our support team or email help@connectwise.com.

 

We appreciate your continued partnership.

 

March 4, 2024 Important Update: Hardening guidelines for ConnectWise ScreenConnect CVE-2024-1708 (path traversal)

ConnectWise published a security bulletin and multiple communications regarding vulnerabilities found in ConnectWise ScreenConnect™ (CVE-2024-1709, CVE-2024-1708). As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online. 

If you possess enhanced Windows event logs or endpoint detection and response (EDR) solutions, thorough investigation should be conducted to identify any suspicious activity, including evidence of commands run from webshells or other indicators of compromise. 

In the event of file anomalies or other indicators of compromise are identified, it is highly recommended to seek assistance from external response companies specializing in incident response and digital forensics. These companies possess the expertise necessary to effectively investigate and remediate security concerns. 

Cloud partners 

Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”). 

On-premise partners 

Whether you have patched your server or still need to, it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online. 

Review file system, enhanced Windows event logs or EDR solutions for suspicious activity, such as webshell commands or other compromise indicators. 

Seek assistance from specialized incident response and forensics firms if potential impacted files are identified. 

To assist in the remediation and hardening process, we encourage partners to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

Within the Mandiant-provided hardening guide, you will find additional mitigation and steps to check for signs of compromise, such as: 

  • Auditing rogue users, malicious extensions, and additional checks for indicators of compromise 
  • Enabling baseline audit and privacy logs 
  • Proxy server and load balance configurations 
  • Restricting Egress 
  • Additional details for restricting permissions 

These steps should be reviewed and implemented after you have upgraded to a patched version of ScreenConnect. 

We strongly urge all users of ScreenConnect to prioritize the installation of the latest patch and follow the recommended mitigation and hardening measures outlined in the provided resources to safeguard their systems against potential security risks. 

CWE-288

February 21, 2024 ConnectWise ScreenConnect vulnerability CWE-288: What should I do?

February 29, 2024 update:

Cloud partner summary:

Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”).

On-prem partner summary:

On-prem partners are advised to immediately upgrade to the latest version of ScreenConnect to remediate against reported vulnerabilities.

Active maintenance

If you are on active maintenance, we strongly recommend upgrading to the most current release of 23.9.8 or later. Using the most current release of ScreenConnect includes security updates, bug fixes, and enhancements not found in older releases.

Off maintenance

ConnectWise has provided a patched version of 22.4.20001 available to any partner regardless of maintenance status as an interim step to mitigate the vulnerability. If you are not currently under maintenance, please upgrade your servers to version 22.4.20001 at minimum or to your latest eligible patched version that includes the remediation for CVE-2024-1709.

Upgrade ScreenConnect to a patched version immediately

1. To upgrade to version 23.9.8 or later, please note there is a specific upgrade path that must be followed:

2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9.8+

2. If you are not on maintenance and upgrading to 22.4.20001 (or your latest eligible version), please follow this specified upgrade path: 

2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.4.20001

For instructions on how to upgrade your on-premise installation click here.

Addressing license errors

If a license error arises during the upgrade, please stop the four ScreenConnect services (Session Manager, Security Manager, Web Server, Relay), move the “License.xml” file from the installation folder “C:\Program Files (x86)\ScreenConnect\App_Data\License.xml” to another location such as Desktop, and proceed with the upgrade. After the upgrade is complete, the license key will need to be re-added by stopping the four services and dropping the file back into the App_Data folder.

February 21 original advisory:

If you suspect you have been compromised related to the recent ConnectWise ScreenConnect™ vulnerability (CWE-288), please follow the mitigation steps below.

1. Upgrade ScreenConnect to the current 23.9.8 version immediately

  • Please note, there is an upgrade path that must be followed*
    2.1 → 2.5 → 3.1 → 4.4 → 5.4 →19.2→22.8→23.3→ 23.9
  • Click here to upgrade your on-premise installation

2. If you receive a license error when upgrading, it may be due to a technical problem on the server, or the license key itself may need to be renewed*.

If the upgrade cannot be completed, please delete the SetupWizard.aspx file out of the installation folder:
C:\Program Files (x86)\ScreenConnect\SetupWizard.aspx

*Please see the February 29, 2024 advisory update to review the amended upgrade path and instructions on how to address licensing errors.

3. Identify the issue

  • When compromised, the User.xml file on the ScreenConnect instance is reset and replaced with a new file that contains only information about one new user
    C:\Program Files (x86)\ScreenConnect\App_Data\User.xml
  • This file can be restored from a backup to get the original users back (if applicable)
  • If you don’t have a user backup, the user file can be reset again by following the process outlined here.

4. Once you are able to log in, check for malicious commands/tools or connections.

  • Install the Report Manager extension on the Admin > Extensions page > Browse Extension Marketplace button
  • Launch Report Manager from the Admin page > Extras menu (4x boxes lower left corner) > Report Manager
  • There are pre-built reports that will export data as a CSV. All reports show the last 30 days of data by default (this is dependent on the database maintenance plans)
  • Host Session Connections—shows all connections made to devices
  • Queued Commands Example—shows all remote commands run against devices
  • Queued Toolbox Items Example—shows all toolbox items that were queued up

Support

If you need any assistance or have additional questions, please go online to ConnectWise Home and open a case with our support team or email help@connectwise.com.

Report a security incident

If you have questions or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can also call our Partner InfoSec Hotline at 1-888-WISE911 to report a non-active security incident or a security vulnerability. 

February 20, 2024 Patch immediately—critical ScreenConnect vulnerability

Update: 

Indicators of compromise

Indicators of compromise (IOCs) look for malicious activity or threats. These indicators can be incorporated into your cybersecurity monitoring platform. They can help you stop a cyberattack that's in progress. Plus, you can use IOCs to find ways to detect and stop ransomware, malware, and other cyberthreats before they cause data breaches.

We received updates of compromised accounts that our incident response team have been able to investigate and confirm. The following IP addresses were recently used by threat actors that we are making available for protection and defense.IOCs: 

  • 155.133.5.15
  • 155.133.5.14
  • 118.69.65.60

We will continue to update with any further information as it becomes available. 

 

Original Advisory:

Summary 

At ConnectWise, our top priority is upholding our commitment to deliver and maintain secure products for our partners. Our team has been working around the clock to ensure your protection from the issues affecting the latest ConnectWise ScreenConnect™ vulnerability that was responsibly reported to us through our vulnerability disclosure process.  

Product(s) impacted 

ConnectWise ScreenConnect™, including ScreenConnect instances co-hosted on ConnectWise Automate™ cloud servers.  

What we know 

Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center. There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks.  

Our response 

We have been following our escalated vulnerability response process, and because of the teams working tirelessly, a patch was made available on February 19, 2024. 

Remediation 

It is strongly recommended that our on-premise partners not wait for a maintenance window to patch but immediately update the latest ScreenConnect version 23.9.8. 

More information on this vulnerability and detailed instructions on patch availability and how to mitigate the vulnerabilities can be found in this security bulletin. 

Report a security incident  

If you have additional security-related questions, please contact security@connectwise.com. To report a security or privacy incident, please visit the ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.  

February 9, 2024 FortiSIEM critical vulnerabilities affecting ConnectWise Co-Managed SIEM powered by StratoZen

Fortinet has recently released two critical vulnerabilities in its FortiSIEM platform (CVE-2024-23108 and CVE-2024-23109), which is used as part of the ConnectWise Co-Managed SIEM powered by StratoZen security offering. Fortinet is advising all partners to upgrade to the latest version of FortiSIEM (7.1.3), which Fortinet just released. Please note that all hosted StratoZen environments are protected by firewalls that do not allow traffic to the FortiSIEM instances on the vulnerable service. Nevertheless, out of an abundance of caution, ConnectWise is upgrading all hosted environments over the next week, and we strongly recommend all co-managed partners upgrade to the latest version of FortiSIEM. 

What we know 

The vulnerability is within an API used for communications between FortiSIEM components. Collectors do not communicate on that API and are not impacted by the CVE-2024-23108 and CVE-2024-23109 vulnerabilities. ConnectWise does not allow access to the environments on that API, thus the vulnerability cannot be directly exploited remotely.

Our response 

All hosted FortiSIEM instances are running behind our firewall that is not exposing the vulnerable port and service, protecting your instance. In addition, ConnectWise is upgrading all hosted FortiSIEM instances to the latest version of 7.1.3 over the next week.  

Remediation 

Hosted-StratoZen partnersAll FortiSIEM instances are running behind our firewall that is not exposing the vulnerable port and service. No further immediate action is needed for hosted environments. 

Co-managed StratoZen partners If you are a co-managed partner, we advise you take action immediately to upgrade your FortiSIEM instances to the latest version (7.1.3). We also encourage you to check your firewall settings to ensure only necessary ports are open for remote access. Please contact us at supportdesk@stratozen.com if you need any assistance with upgrading.

Report a security incident 

If you have additional security-related questions, please contact security@connectwise.com. To report a security or privacy incident, please visit the ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911. 

January 22, 2024 Brute-force attempts on ConnectWise ScreenConnect

What we know 

Our team recently noticed malicious activity by bad actors attempting credential-stuffing and brute-force attacks targeting some ConnectWise Automate partners with ConnectWise ScreenConnect instances. We are pleased to report that there is no evidence of any unauthorized access, and the security measures we have in place worked as intended to prevent any breach.  

What should you do? 

If you receive an email notifying you that you or someone in your company have been locked out of your ScreenConnect account, please make sure you do not click on any suspicious links and reach out to our support team immediately for assistance in verifying the legitimacy of the lockout email and restoring access securely. To contact support, go online to ConnectWise Home and log in to open a support ticket. 

Preventative security measures 

With the evolving sophistication of cyberattack attempts on the rise globally, we are keenly aware that this can happen anytime with any product to any company, large or small. So, it is critically important to maintain a security-first focus, remain vigilant, and follow best practices to ensure the ongoing safety and security of your information and systems.  

  • Multi-factor authentication (MFA)
    Implement MFA to add an extra layer of protection. This significantly reduces the risk of unauthorized access, even if login credentials are compromised. You can find additional resources here and here to learn more about enabling MFA on your account.
  • Regular password policy reviews
    Enforce strong password policies for all users. Regularly review and update passwords to ensure they meet current security standards. To edit user password requirements and configurations, click here
  • Employee training and awareness 
    Conduct regular security awareness training for your team to recognize phishing attempts and other social engineering tactics. Employees play a crucial role in maintaining a secure environment. 
  • Incident response plan
    Develop and regularly update an incident response plan. This ensures a swift and coordinated response in the event of a security incident, minimizing potential damage. 

By following these best practices and promptly contacting our support team when needed, we can collectively strengthen our defenses against potential threats. 

Report a security incident 

If you have questions or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can also call our Partner InfoSec Hotline at 1-888-WISE911 to report a non-active security incident or a security vulnerability.  

October 18, 2023 Beware the hook: Malicious actor phishing email targeting ScreenConnect users

What we know

Recently, our ConnectWise Information Security team has identified an increase in phishing campaigns that attempt to exploit ConnectWise ScreenConnect™ by mimicking new login alerts to deceive users into sharing their login credentials. These phishing emails are designed to appear as genuine login alerts to gain unauthorized access to legitimate ScreenConnect instances. We know email phishing attacks continue to get more sophisticated, mirroring authentic messages and web content, so we want to ensure you are informed about this threat and know how to protect your data and privacy.

A sample of this phishing email is shown in the screenshot below and contains a “click here” link to a malicious site.  

imageyf33r.png

Please note, ScreenConnect does send legitimate new login alerts via email as shown in this screenshot. ConnectWise alerts do not have a “click here” link for any login notifications. If you see a link in your notification, it is not legitimate.

Our response

With the evolving sophistication of phishing attempts on the rise, a combination of awareness and vigilance is needed. We encourage you to refresh your users with some of the standard phishing attack indicators. We also recommend staying vigilant in looking for clues to avoid mistakenly clicking on nefarious content. Before clicking, make sure content reflects:

  • Email domains owned by trusted sources
  • Links go to places you recognize

What should you do?

If you are concerned that you may have been compromised, please follow the steps in this security alert checklist. We also recommend reviewing the ScreenConnect security guide and best practices for further securing your instance, as well as verifying that links, your account ID, and your domain are accurate.

If you have questions, suspect you received a phishing attempt, or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.

October 4, 2023 WebP/libwebp Zero-Day Vulnerabilities

*This advisory has been updated to include the impact to ConnectWise PSA.

Security researchers opened two vulnerabilities relating to maliciously formed WebP images, which could be used to exploit browsers, as well as the libwebp library that extends to more than just browsers. The libwebp library is used by many operating systems and popular applications to render .WebP images.

What we know

The vulnerability, first tracked as CVE-2023-4863, was disclosed by Google as a vulnerability affecting its Chrome browser. As researchers investigated further, it was discovered the vulnerability sourced back to the open source libwebp library, which several vendors rely on and have been releasing updates.

In connection with this, CVE-2023-5129 that was registered as a critical CVSS (Common Vulnerability Scoring System) score of 10, has been rejected or withdrawn since it is a duplicate of CVE-2023-4863. The entry for the latter has been expanded to include the impact in the libwebp library.

Our response

Our cross-functional teams immediately started conducting comprehensive assessments of all our applications and systems to identify any potential areas of risk. Additionally, we have implemented enhanced monitoring measures to actively track any changes or suspicious activities related to this vulnerability.

Remediation

All identified products have started remediation efforts or have already been performed. In some cases, they are progressing as planned. In other instances where the vulnerability exists in independent products we use, we are monitoring and discussing with vendors to see when a fix would be available to apply.

Remediation to date:

  • ConnectWise ScreenConnect™ v23.7.8 has been released, which disables the use of libwebp
  • ITBoost™, a ConnectWise solution, has been remediated and has been released into production
  • SLI 3.0 and SLI Insights have been remediated and released into production
  • Remediation efforts for ConnectWise PSA™ are ongoing. In the meantime, please consider moving to the web client instead of our thick client to reduce the risk of exposure to the vulnerability.
  • BrightGauge™, SmileBack™, ConnectWise CPQ™, ConnectWise Automate™, Asio™ platform, and security services are not directly impacted with this vulnerability

While we are actively addressing this issue in our product suite, we recommend our partners take precautionary measures to enhance their security in their own environment by ensuring all their applications are up-to-date, regularly check for updates, and install them promptly.  

If you have additional questions, please contact security@connectwise.com. To report a security or privacy incident, please visit the ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.

April 14, 2023 <4:00pm ET> Microsoft Message Queuing Vulnerability

We have been made aware of a vulnerability affecting Windows Operating Systems running the Microsoft Message Queuing (MSMQ) service, impacting on-premise ConnectWise PSA partners. PSA cloud partners remain unaffected.

This vulnerability allows adversaries to exploit TCP port 1801 within ConnectWise PSA and execute remote code without authorization. While no immediate threat has been detected, we strongly recommend you take the following actions immediately to mitigate this vulnerability:

  • Follow the steps outlined in Microsoft’s Mitigations
  • Update with the latest Microsoft patches
  • If you are unable to update with the latest Microsoft patches, as a temporary mitigation:
  • Disable the external connection for port 1801

If you have additional questions, please contact security@connectwise.com.

December 20, 2022 <6:52 PM ET>: Best practice reminder - download from trusted sources

Researchers from ReversingLabs have identified malicious Python packages located on the popular Python package repository “Python Package Index (PyPI)” posing as a software development kit (SDK) from SentinelOne.  The package mimics the legitimate SDK that's offered by SentinelOne to its customers but adds backdoor and data exfiltration features. 

The full article that includes the writeup and IOCs ( Data exfiltration IPs and package SHA1 hashes) can be found at this link, and the ConnectWise Security Operations Team has been provided the following information from SentinelOne: 

"SentinelOne is aware of the report from Reversing Labs regarding malicious packages uploaded to the PyPI (Python Package Index) repository misrepresenting themselves as SentinelOne SDK. 

A malicious Python package was first uploaded to PyPI on Dec 11, 2022, and as of Dec 13, 2022, the package had been updated 20 times. The report advises that the package contains a malicious backdoor with a programmatic delay before activation. We have confirmed that our customers are safe and have not seen any evidence of compromised clients due to this incident. 

Packages posting as legitimate software and leveraging the PyPI repository are becoming more common and are part of a trend toward integrating threats into software supply chains and development pipelines. 

We recommend only using SDK packages provided through the SentinelOne management console. 

PyPI has removed the malicious package, and we are working to investigate further." 

As an industry best practice, ConnectWise recommends partners download content (SDKs, executables, installation packages, etc.) directly from the vendor to minimize risk and always verify script content prior to execution.  

 

December 13, 2022 <11:21 PM ET>: SentinelOne/Aikido Vulnerability-Action Required

Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition  

Vulnerability Details 
SafeBreach Labs researcher Or Yair uncovered vulnerabilities in several leading EDR and AV solutions, including SentinelOne, that allows a non-privileged user to create NTFS reparse points, which creates a path that “links” to a different path. The SentinelOne agent uses Windows functionality to get a path of a file to mitigate. A malicious actor may replace the path with a different path to a file to which it does not have privileges. This can potentially turn the agent into a malicious data wiper.  

Products Impacted  
Microsoft Windows with SentinelOne agents running all versions prior to 22.2.4.558 are vulnerable.  

SentinelOne agents are utilized in the following ConnectWise products: ConnectWise SentinelOne Control, ConnectWise SentinelOne Complete, ConnectWise MDR with SentinelOne, and ConnectWise MDR Premium with SentinelOne. 

This exploit was also tested against Defender, Defender for Endpoint, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus and was found to be vulnerable.  

Mitigation 
In order to be protected, you are required to install the latest SentinelOne policy override in version 22.2 SP1 (22.2.4.558) on your Windows agent endpoints. ConnectWise SOC teams have already updated all the ConnectWise SentinelOne EDR and MDR consoles with the 22.2.4.558 agent. 

After the updates have been deployed, please verify in the SentinelOne console if your machine has a pending reboot that needs to be actioned in case this is required to complete the installation.  

If you have any questions about the updating process, please contact our security support teams at securitypartnersupport@connectwise.com.   

November 29, 2022 <4:00 PM ET>: Remaining Vigilant Against Email Phishing Attempts

We are aware of a phishing campaign that mimics ConnectWise Control New Login Alert emails and has the potential to lead to unauthorized access to legitimate Control instances. We know email phishing attacks continue to get more sophisticated, mirroring legitimate email and web content.

A sample of this phishing email is shown in the screenshot below and contains a “click here” link to a malicious site. ConnectWise has issued take-down requests for the malicious site and domains.

If you are concerned that you may have been compromised, please follow the steps in this security alert checklist. We also recommend reviewing the Control security guide and best practices for further securing your instance, as well as verifying that links, your account ID, and your domain are accurate.

Of note, Control does send legitimate New Login Alerts via email as shown in this screenshot.  The legitimate “click here” link references the aforementioned security alert checklist that exists as a knowledge base article on our site.

This is a more sophisticated attempt – some of the standard phishing attack indicators aren’t there, like misplaced graphics, or spelling inconsistencies. We encourage our partners to stay vigilant in looking for clues to avoid mistakenly clicking on nefarious content. Before clicking, make sure content reflects:

  • Email domains owned by trusted sources
  • Links that go to places you recognize

If you have questions, suspect you received a phishing attempt, or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can report both a non-active security incident, report a security vulnerability, or call our Partner InfoSec Hotline at 1-888-WISE911.

May 5, 2022 <11:00 AM ET>: Email Security Best Practices 

We want to provide reminders to our partners about email security best practices.  

Phishing remains a significant attack vector fronting attack chains in some very high-profile security incidents.  As such, it is imperative that organizations implement email security controls to prevent impersonation/spoofing of their users and domains.  SPF, DKIM, and DMARC provide a layer of protection against this by working in tandem to authenticate email and helping to ensure that the sender REALLY is who they say they are.   

SPF, DKIM, and DMARC Defined   

  • SPF (Sender Policy Framework) is an email validation protocol designed to detect and block email spoofing. It allows mail exchangers to verify that incoming mail from a specific domain comes from an IP Address authorized by that domain’s administrators.  
  • DKIM (DomainKeys Identified Mail) utilizes cryptographic signatures by which mail service providers can verify the authenticity of the sender.  
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) aligns the SPF and DKIM mechanisms and allows organizations to apply policies regarding unauthorized use of email domains. 

For more information and details on how to setup/configure SPF/DKIM/DMARC, there are several good resources available including the following:   

SPF: https://www.proofpoint.com/us/threat-reference/spf 

DKIM: https://www.proofpoint.com/us/threat-reference/dkim 

DMARC: https://www.proofpoint.com/us/threat-reference/dmarc 

Security is a top priority at ConnectWise. Our primary goal is to provide robust, secure products and services to our partners. We also acknowledge that no technology is perfect, and ConnectWise believes that working with skilled security researchers and partners across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us via our Vulnerability Disclosure Program. We welcome working with you to resolve the issue promptly.  

We are proud to be part of a community that remains equally committed to secure practices. 

January 31, 2022 <8:00 PM ET>: ConnectWise Virtual Community Update

We apologize to our partners for the disruption in service last week pertaining to our virtual community. It is now online, and our product and other teams look forward to engaging with you.

Like many ConnectWise experiences (e.g. our University) our virtual community platform leverages SSO to authenticate users and ensure only authorized partners engage in our community. Our SSO mechanism did its job—only allowing verified ConnectWise partners to register, accept the terms and conditions and use the virtual community platform. There was no malicious attack on our SSO capabilities.

Last week, a valued partner (via our VDP and respected admins of the MSPGeek community) raised concern about information our virtual community search was displaying to registered community member partners. Directory search was working as intended in most cases, but a configuration issue was allowing non-registered partners to be returned in a search. This information included "first name", "last name", "company name" (and in some cases, "business title"). Although this information can easily be obtained via other platforms (like LinkedIn), it raised understandable partner concern.  Only 15 registered partner members conducted searches since the community launch, and while we were unable to validate the results of their searches due to a limitation in our vendor’s API, we do know that only 18 non-registered partners "profiles" were viewed by registered partner members as a result of those searches.

We remediated this issue within hours but took the site down pending a full review in accordance with our InfoSec policy. No malicious activity was discovered, no data was lost, and this triggered no data privacy actions in the jurisdictions involved.

Although a common community feature, partners also expressed concern that a registered partner community member could conduct a search by "company name". We understand it is important for partner employees (registered users) to determine how much or how little information is shared with others in the virtual community. Here’s what we did:

  • We reconfigured the virtual community to—after authentication—consume only basic information about registered users of the virtual community who accept the terms of service.
  • Default settings now limit directory search fields to first name and last name.
  • Member directory is “on” for registered partner member viewing to help deliver the experience TSPs expect when joining a virtual community. However, we have set default privacy settings for all registered members such that only their first name, last name (and profile photo where uploaded) will display when being searched for by members who aren’t their approved contacts.
  • Registered members may proactively change the privacy settings associated with their user profile to control the level of information that is shared with approved contacts or other members. Partners can find more information about privacy settings in the Virtual Community FAQs.

As a courtesy, we are notifying the 18 individuals mentioned above and are reaching out to the 15 partners who conducted searches to gain their assurance this information will not be used beyond community networking.

Finally, we know it is important to you to hear what we learned from this. Our beta testing (both internal and with partners) in the 30 days prior did not expose this configuration issue. This taught us about extra measures we can and will take in the future; and we have immediately implemented additional multi-layered testing and QC mechanisms to our processes.  

Transparency on all sides benefits our community. We want to thank the partner who reported this, and the partners who collaborated with us on this issue. If you have additional questions about this matter, please contact security@connectwise.com.