ConnectWise fixes bug abused by phishers

Updated on 2022-12-05: ConnectWise quiet patching

Remote desktop management service ConnectWise has quietly patched a vulnerability that was being abused in the wild by phishing gangs to take over ConnectWise accounts, Brian Krebs reported. Read more: ConnectWise Quietly Patches Flaw That Helps Phishers

Updated on 2022-12-04: ConnectWise fixes bug abused by phishers

You might not have heard of ConnectWise, but it’s big in the IT industry. ConnectWise offers a self-hosted, digitally signed remote desktop app that is used by MSPs to allow instant remote access to another network with a single email click. That’s by design, but phishers caught wind of this attack mechanism to bounce the connection through an attacker’s ConnectWise control server. In short, it makes breaking into usually-walled networks far easier. ConnectWise fixed the bug. The full technical write-up is worth the read, while @briankrebs has a good explainer for normies like me. Read more:

ConnectWise fixes bug abused by phishers

Updated on 2022-11-25: ConnectWise vulnerability

Guardio Labs researchers said they found a cross-site scripting (XSS) vulnerability in the ConnectWise remote access platform that the security firm said has “great potential” for misuse by scammers. Guardio said the vulnerability could be used to hijack accounts and their remote access capabilities and that ConnectWise quickly patched the issue after receiving its report. Read more: XSS Vulnerability Found in ConnectWise Remote Access Platform With Great Potential For Misuse by Scammers

Updated on 2022-10-31: Updates Available for ConnectWise RCE Vulnerability

ConnectWise has released updates to address a critical remote code execution vulnerability in its ConnectWise Recover and R1Soft server backup manager. The flaw is due to improper neutralization of special elements in output used by a downstream component. The vulnerability was detected by researchers from Huntress.

Note

Vulnerabilities in backup systems are one of the underappreciated risks. Backup systems essentially instrument your network for remote privileged file access, and if abused, you easily hand over control to an attacker.
ConnectWise enterprise applications are most often used by managed service providers (MSPs) that provide IT services to small businesses and local government. In the past 24 months, ransomware attacks have shown a bias towards small businesses and local government. With that in mind and given that a proof of concept exploit exists for this RCE vulnerability, MSPs should place a high priority on implementing the patch within their infrastructure.
This weakness can be exploited for lateral movement, not just impacting the targeted node, so you really want to close this hole. ConnectWise Recover should have automatically updated to newest version. The R1Soft update supports many Linux package mangers (yum, apt-get, dpkg & rpm), making the update straight forward. There is no workaround here.

Read more in

Overview: ConnectWise RCE

Managed service provider ConnectWise released a critical security update on Friday to address a remote code execution vulnerability in two of its backup server solutions that could be used to take over vulnerable and unpatched systems. Details about the vulnerability are still kept private, at least until Monday, when Huntress Labs CEO Kyle Hanslovan promised to release more details. At least 4,800 ConnectWise servers are still exposed online and most likely are still vulnerable, as the patch came late on Friday, and very few administrators learned of it in time to roll out the fix. Read more: ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release

Updated on 2022-12-05: ConnectWise quiet patching

Updated on 2022-12-04: ConnectWise fixes bug abused by phishers

Updated on 2022-11-25: ConnectWise vulnerability

Updated on 2022-10-31: Updates Available for ConnectWise RCE Vulnerability

Overview: ConnectWise RCE

Your Support Matters...