ENRAGED DUCK threatens MSPs with CVE-2020-14159

Update: This vulnerability was discovered by Syswarden. Perch wants to ensure credit is given for his research and findings: https://syswarden.com/blog/connectwise-automate-vulnerability-send-trending-sqli

We have a special edition of the usually weekly threat report, focusing on a ConnectWise Automate API Vulnerability: CVE-2020-14159. We’re going to take a deep dive into the vulnerability disclosure, discuss the specific details of the vulnerability, explore the threats we’ve seen, and take a look at the timeline of patches.

Automate API vulnerability disclosed

On June 10, ConnectWise (CW) disclosed a command execution vulnerability in Automate.

According to CW, “A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.”

Although the vulnerability requires authentication, downloading an Automate agent from the server does not. An attacker can extract SERVERPASS from the agent, making authentication trivial.

Vulnerability details

In CW Automate version 2020.5 and earlier, the Automate agent downloaded from /LabTech/Deployment.aspx contained a SERVERPASS that could be leveraged to attack. With the agent password, a remote authenticated user can send a crafted XML payload in the post body of an HTTP request, triggering a SQL injection vulnerability in /LabTech/agent.aspx. This SQL injection allows the attackers to gain command of the Automate server.

tr-info.jpg

Perch reported the vulnerability to MITRE to inquire about a CVE for this vulnerability. CVE-2020-14159 was reserved for this threat report.

Two vulnerabilities lead to command execution:

  • Unauthenticated Automate agent download from /LabTech/Deployment.aspx contains password disclosure that allows for authenticated requests to the Automate server.
  • SQL injection vulnerability in the Automate server can be triggered via HTTP post request with crafted XML payload to /LabTech/agent.aspx.

Hackers target Automate vulnerability

Perch Security, a leading cybersecurity provider for managed service providers (MSPs), has discovered evidence of threat actors targeting MSPs vulnerable to CVE-2020-14159.

Perch observed two groupings of scanners: one group from Russia and one actor leveraging Private Internet Access (VPN). Additionally, we saw a small amount of scanning activity using AWS infrastructure.

We can learn a few things by looking at the HTTP response codes:

1. The leading 301 and 302 HTTP responses indicate early scanning activity. Attackers are looking for /LabTech/Deployment.aspx, but it’s not there. They are politely redirected to an existing page.

2. The 200 responses show that end-users were able to retrieve the agent, but, as evident from the spike in 404s, the majority of scan activity was avoided as customers blocked traffic to /LabTech/Deployment.aspx.

cve-2020-14159-graph-1.png

Pivoting to look at countries involved in scanning, we can see some additional trends. After removing legitimate traffic from the United States and Australia, there are spikes in /LabTech/Deployment.aspx requests from foreign countries after the CW Automate disclosure. Notably, one spike from a single IP in Russia occurs days before the announcement.

ZAO Hosting Telesystems - Russia

The Russian IP, 78.110.50.123, was observed requesting /LabTech/Deployment.aspx from multiple MSPs. The IP is owned by ZAO Hosting Telesystems and has a negative reputation. It’s possible this was part of an initial wave of activity that led to the discovery of the vulnerability.

cve-2020-14159-graph-2.png

Above - Traffic from countries over time - minus Australia and the United States

When you look at total activity from all countries (minus Australia and the United States) over the last two weeks, there’s an even distribution of source countries with a slight lean towards Russia.

cve-2020-14159-graph-3.png

ENRAGED DUCK

Despite this traffic originating from many countries, we believe much of it is related to a single actor. The majority of agent download requests were from Private Internet Access (PIA) VPN egress IPs with distinct and matching user-agent strings. The relatively even distribution of source countries reinforces that a single actor is changing their source country consistently throughout the scan.

Internally, Perch uses an APT name generator to label threat actors and their campaigns. The threat actor for this campaign is ENRAGED DUCK. While intelligence is still emerging about this actor, here’s what we currently know:

  • Uses PIA to scan for targets
  • Is familiar with MSP RMM software, like Automate
  • Python scripting
  • Kali Linux OS
  • Drops an unknown loader

Patches are available

ConnectWise released multiple patches and hotfixes with hardening suggestions:

June 10, 2020: ConnectWise is aware of a vulnerability in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud-based versions of the product.

June 12, 2020; Hotfix A: ConnectWise has identified a need for additional hardening measures to be applied to the hotfixes and are currently working to update the fixes accordingly. Updates are expected later today, but we recommend all Automate partners take the following actions listed below.

cve-2020-14159-patch.png

June 13, 2020; Hotfix B: ConnectWise identified a need for additional hardening measures to be applied to the hotfixes and these new hotfixes are now available.

Perch recommendations

Researchers at Perch discovered over 6,500 Automate servers, many without the patches applied. Here’s what we recommend:

  • If you haven’t yet patched, we recommend doing so as soon as possible.
  • Review your Automate server logs to look for agent downloads and agent registration from source countries where you don’t expect agents.
  • Monitor your network traffic for unusual activity.

That’s all for this week. Keep it Perchy!

- Paul