Security researchers are sounding the alarm about a high-risk vulnerability present in a commonly used remote access tool. Experts warn that exploiting this flaw is “trivial and embarrassingly easy,” while the developer of the software confirms that it is currently under attack from malicious hackers.
The vulnerability in question affects ConnectWise ScreenConnect, a popular remote access software frequently used by IT providers and technicians for real-time technical support on customer systems. It is considered a maximum severity vulnerability due to its potential to allow attackers to bypass authentication and gain access to sensitive data or deploy harmful code.
The flaw was initially reported to ConnectWise on February 13 and publicly disclosed in a security advisory on February 19. At first, the company stated that there was no evidence of active exploitation, but a recent update confirmed that several compromised accounts have been identified and investigated by their incident response team.
ConnectWise has also shared three IP addresses reportedly used by threat actors. When questioned about the number of affected customers, a spokesperson declined to disclose the specific figure but noted that 80% of customer environments are cloud-based and have already been automatically patched within 48 hours.
However, there are still concerns about the potential impact of this vulnerability. When asked about data exfiltration, the spokesperson stated that no incidents have been reported, but did not mention whether ConnectWise has the means to detect if data was accessed.
According to the ConnectWise website, their remote access technology is used by over a million small to medium-sized businesses. This makes the flaw a cause for serious concern.
Cybersecurity company Huntress has also published an analysis of the actively exploited vulnerability, with their security researcher John Hammond telling TechCrunch that they are aware of current and active exploitation. They have observed signs of threat actors moving beyond initial exploitation and implementing more targeted post-exploitation and persistence methods.
Huntress CEO Kyle Hanslovan stated that their customer data reveals over 1,600 vulnerable servers, adding that “this shit is bad.” They estimate that there are still upwards of 8,800 ConnectWise servers that remain vulnerable and could potentially be targeted for exploitation.
Hanslovan also highlights the widespread usage of the software and the access granted by this vulnerability as a warning sign for a potential “ransomware free-for-all.” It is crucial for ConnectWise users to apply the patch immediately to avoid falling victim to such attacks.
In addition to releasing a patch for the actively exploited vulnerability, ConnectWise has also addressed a separate flaw affecting their remote desktop software. They have not observed any evidence of exploitation for this vulnerability.
Earlier this year, the U.S. government agencies CISA and the National Security Agency issued a warning about a “widespread cyber campaign” targeting federal civilian executive branch agencies. The agencies noted the use of legitimate remote monitoring and management software, including ConnectWise SecureConnect, as one of the tactics used by the attackers.
AnyDesk, another remote access software, was also subject to hacking attempts and was forced to reset passwords and revoke certificates after discovering evidence of compromised production systems.
When contacted for comment, CISA executive assistant director for cybersecurity, Eric Goldstein, stated that they are aware of the reported vulnerability and are working to determine any potential exploitation to provide necessary guidance and assistance.
If you are a ConnectWise user and have been affected by this vulnerability, you can contact TechCrunch reporter Carly Page securely on Signal at +441536 853968 or by email at carly.page@techcrunch.com. You can also reach out to TechCrunch via SecureDrop.