Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/22/2020
02:30 PM
100%
0%

Eight Flaws in MSP Software Highlight Potential Ransomware Vector

An attack chain of vulnerabilities in ConnectWise's software for MSPs has similarities to some of the details of the August attack on Texas local and state agencies.

Eight vulnerabilities in ConnectWise's software for managed service providers (MSPs) purportedly allows attackers to silently execute code on any desktop managed by the application, an exploit chain with details similar to last August's coordinated attacks on Texas government agencies, security consultancy Bishop Fox said in an advisory today.

Individually, the vulnerabilities are mostly not severe, with only one — a cross-site request forgery (CSRF) flaw — deemed critical. Together, however, the eight issues — six of which are assigned Common Vulnerability Enumeration (CVE) identifiers — could have been combined to create an attack chain that could compromise a ConnectWise Control server and, from there, any attached clients, Bishop Fox stated.

"An attacker that exploits the full attack chain can achieve unauthenticated remote code execution, resulting in compromise of the ConnectWise Control Server and ultimately the endpoint it has been installed on," says Daniel Wood, the associate vice president of consulting for Bishop Fox. "This would provide full control over the vulnerable endpoint."

The company and a third party confirmed the vulnerabilities and found that ConnectWise had patched some of the issues in the fall with little to no notice. The attack chain has similarities to some of the reported details of the August attack on Texas local and state agencies, Wood said in the published advisory

Multifactor authentication, for example, would likely not have helped the Texas agencies, according to press reports. Bishop Fox confirmed that multifactor authentication would not help against the attack chain proposed in its advisory, either.

"This is not proof that the vulnerabilities we discovered were used in the incident," Wood said. "What we can say is that nothing we have read about the Texas ransomware attack so far rules out the possibility that these vulnerabilities were involved."

In a statement sent to Dark Reading, ConnectWise refuted the findings, stressing that it takes the security of its products seriously.

"Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual," the company stated. "In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities."

In the statement, ConnectWise acknowledged that it had fixed six of the eight issues. "We appreciated the insights and based on [Bishop Fox's] report, we did our own internal research and evaluation and addressed the points they raised in their review," the company wrote. "With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019."

This is not the first time ransomware attackers infiltrated a company through ConnectWise's products and services. In November 2017, a vulnerability researcher found an issue in ConnectWise's plug-in for Kaseya's network monitoring system and posted an exploit to GitHub. Attackers later used that vulnerability to compromise more than 1,500 systems and install ransomware, demanding a $2.6 million ransom from the managed service provider. 

In August, a coordinated ransomware attack scrambled data at 22 local and state agencies in Texas. Subsequent press reports indicated that the attacker had used a vulnerable installation of ConnectWise software to infect the governmental agencies.

Matt Hamilton, a former senior security analyst at Bishop Fox, discovered the latest vulnerabilities in mid-September. While the initial contact with ConnectWise proceeded quickly, the software maker stopped responding a week later, Bishop Fox stated.

"ConnectWise CISO John Ford asserted that the Bishop Fox findings did not affect on-premise solutions and stated that these vulnerabilities are not exploitable because ConnectWise was unable to reproduce them using the steps that Bishop Fox provided them," Bishop Fox's Wood stated in the advisory. "Additionally, Mr. Ford raised the threat of a defamation lawsuit. But Bishop Fox’s research found vulnerabilities that do, in fact, impact on-premise installations."

Huntress Labs, an MSP security provider, is conducting an analysis and verification effort at the request of Bishop Fox. Huntress Labs found that ConnectWise had patched or otherwise mitigated two of the issues, including the most critical vulnerability, partially mitigated two other flaws, and left three issues unmitigated. The testing, which is ongoing, has not yet determined the status of the eighth issue, the security provider stated in a blog post.

Companies, especially those serving less technical markets, need to be transparent and upfront with their customers, Bishop Fox's Wood says.

"The best thing a company can do is to create an easy-to-use and secure mechanism for researchers to report vulnerabilities that go to their engineering and development teams, where they can be analyzed and confirmed," he says. "Once that occurs, they can be prioritized for remediation activities based upon the companies organizational practices."

Because of the danger that such vulnerabilities post, ConnectWise's current clients should request clarity on the issues, Wood adds.

"Follow up with ConnectWise support to ensure patches have occurred — and [were] exhaustively tested — to ensure vulnerabilities no longer exist that can result in complete takeover of the Control Server," he urges. "Don't use the product in its current state until confidence is reached."

For its part, ConnectWise dismissed a vulnerability — or chain of vulnerabilities — being at the heart of the Texas ransomware incident.

"[T]here are malicious actors who utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities, or phishing," the company said in its statement to Dark Reading. "Our understanding is that the Texas attacks were precipitated by a phishing attack that led to a user's credentials being compromised."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...