Updated on 2022-12-05: ConnectWise quiet patching
Remote desktop management service ConnectWise has quietly patched a vulnerability that was being abused in the wild by phishing gangs to take over ConnectWise accounts, Brian Krebs reported. Read more: ConnectWise Quietly Patches Flaw That Helps Phishers
Updated on 2022-12-04: ConnectWise fixes bug abused by phishers
You might not have heard of ConnectWise, but it’s big in the IT industry. ConnectWise offers a self-hosted, digitally signed remote desktop app that is used by MSPs to allow instant remote access to another network with a single email click. That’s by design, but phishers caught wind of this attack mechanism to bounce the connection through an attacker’s ConnectWise control server. In short, it makes breaking into usually-walled networks far easier. ConnectWise fixed the bug. The full technical write-up is worth the read, while @briankrebs has a good explainer for normies like me. Read more:
- Hijacking Connectwise Control & Screen Connect (v.22.9.10032, MULTIPLE) for Fun and Profit – From DDoS to Multi-OS RCE!
- ConnectWise Quietly Patches Flaw That Helps Phishers
- November 29, 2022 <4:00 PM ET>: Remaining Vigilant Against Email Phishing Attempts
#ConnectWise is warning about an unusually slick #phishing attack that lets attackers take remote control over user systems when recipients click the included link. The warning comes after the company quietly patched a flaw that enables these attacks. https://t.co/jcr8pYVtek
— briankrebs (@briankrebs) December 1, 2022
Updated on 2022-11-25: ConnectWise vulnerability
Guardio Labs researchers said they found a cross-site scripting (XSS) vulnerability in the ConnectWise remote access platform that the security firm said has “great potential” for misuse by scammers. Guardio said the vulnerability could be used to hijack accounts and their remote access capabilities and that ConnectWise quickly patched the issue after receiving its report. Read more: XSS Vulnerability Found in ConnectWise Remote Access Platform With Great Potential For Misuse by Scammers
Updated on 2022-10-31: Updates Available for ConnectWise RCE Vulnerability
ConnectWise has released updates to address a critical remote code execution vulnerability in its ConnectWise Recover and R1Soft server backup manager. The flaw is due to improper neutralization of special elements in output used by a downstream component. The vulnerability was detected by researchers from Huntress.
Note
- Vulnerabilities in backup systems are one of the underappreciated risks. Backup systems essentially instrument your network for remote privileged file access, and if abused, you easily hand over control to an attacker.
- ConnectWise enterprise applications are most often used by managed service providers (MSPs) that provide IT services to small businesses and local government. In the past 24 months, ransomware attacks have shown a bias towards small businesses and local government. With that in mind and given that a proof of concept exploit exists for this RCE vulnerability, MSPs should place a high priority on implementing the patch within their infrastructure.
- This weakness can be exploited for lateral movement, not just impacting the targeted node, so you really want to close this hole. ConnectWise Recover should have automatically updated to newest version. The R1Soft update supports many Linux package mangers (yum, apt-get, dpkg & rpm), making the update straight forward. There is no workaround here.
Read more in
- Critical Vulnerability Disclosure: ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain Risks
- ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release
- Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers
- Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers
Overview: ConnectWise RCE
Managed service provider ConnectWise released a critical security update on Friday to address a remote code execution vulnerability in two of its backup server solutions that could be used to take over vulnerable and unpatched systems. Details about the vulnerability are still kept private, at least until Monday, when Huntress Labs CEO Kyle Hanslovan promised to release more details. At least 4,800 ConnectWise servers are still exposed online and most likely are still vulnerable, as the patch came late on Friday, and very few administrators learned of it in time to roll out the fix. Read more: ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release