Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/22/2020
02:30 PM
100%
0%

Eight Flaws in MSP Software Highlight Potential Ransomware Vector

An attack chain of vulnerabilities in ConnectWise's software for MSPs has similarities to some of the details of the August attack on Texas local and state agencies.

Eight vulnerabilities in ConnectWise's software for managed service providers (MSPs) purportedly allows attackers to silently execute code on any desktop managed by the application, an exploit chain with details similar to last August's coordinated attacks on Texas government agencies, security consultancy Bishop Fox said in an advisory today.

Individually, the vulnerabilities are mostly not severe, with only one — a cross-site request forgery (CSRF) flaw — deemed critical. Together, however, the eight issues — six of which are assigned Common Vulnerability Enumeration (CVE) identifiers — could have been combined to create an attack chain that could compromise a ConnectWise Control server and, from there, any attached clients, Bishop Fox stated.

"An attacker that exploits the full attack chain can achieve unauthenticated remote code execution, resulting in compromise of the ConnectWise Control Server and ultimately the endpoint it has been installed on," says Daniel Wood, the associate vice president of consulting for Bishop Fox. "This would provide full control over the vulnerable endpoint."

The company and a third party confirmed the vulnerabilities and found that ConnectWise had patched some of the issues in the fall with little to no notice. The attack chain has similarities to some of the reported details of the August attack on Texas local and state agencies, Wood said in the published advisory

Multifactor authentication, for example, would likely not have helped the Texas agencies, according to press reports. Bishop Fox confirmed that multifactor authentication would not help against the attack chain proposed in its advisory, either.

"This is not proof that the vulnerabilities we discovered were used in the incident," Wood said. "What we can say is that nothing we have read about the Texas ransomware attack so far rules out the possibility that these vulnerabilities were involved."

In a statement sent to Dark Reading, ConnectWise refuted the findings, stressing that it takes the security of its products seriously.

"Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual," the company stated. "In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities."

In the statement, ConnectWise acknowledged that it had fixed six of the eight issues. "We appreciated the insights and based on [Bishop Fox's] report, we did our own internal research and evaluation and addressed the points they raised in their review," the company wrote. "With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019."

This is not the first time ransomware attackers infiltrated a company through ConnectWise's products and services. In November 2017, a vulnerability researcher found an issue in ConnectWise's plug-in for Kaseya's network monitoring system and posted an exploit to GitHub. Attackers later used that vulnerability to compromise more than 1,500 systems and install ransomware, demanding a $2.6 million ransom from the managed service provider. 

In August, a coordinated ransomware attack scrambled data at 22 local and state agencies in Texas. Subsequent press reports indicated that the attacker had used a vulnerable installation of ConnectWise software to infect the governmental agencies.

Matt Hamilton, a former senior security analyst at Bishop Fox, discovered the latest vulnerabilities in mid-September. While the initial contact with ConnectWise proceeded quickly, the software maker stopped responding a week later, Bishop Fox stated.

"ConnectWise CISO John Ford asserted that the Bishop Fox findings did not affect on-premise solutions and stated that these vulnerabilities are not exploitable because ConnectWise was unable to reproduce them using the steps that Bishop Fox provided them," Bishop Fox's Wood stated in the advisory. "Additionally, Mr. Ford raised the threat of a defamation lawsuit. But Bishop Fox’s research found vulnerabilities that do, in fact, impact on-premise installations."

Huntress Labs, an MSP security provider, is conducting an analysis and verification effort at the request of Bishop Fox. Huntress Labs found that ConnectWise had patched or otherwise mitigated two of the issues, including the most critical vulnerability, partially mitigated two other flaws, and left three issues unmitigated. The testing, which is ongoing, has not yet determined the status of the eighth issue, the security provider stated in a blog post.

Companies, especially those serving less technical markets, need to be transparent and upfront with their customers, Bishop Fox's Wood says.

"The best thing a company can do is to create an easy-to-use and secure mechanism for researchers to report vulnerabilities that go to their engineering and development teams, where they can be analyzed and confirmed," he says. "Once that occurs, they can be prioritized for remediation activities based upon the companies organizational practices."

Because of the danger that such vulnerabilities post, ConnectWise's current clients should request clarity on the issues, Wood adds.

"Follow up with ConnectWise support to ensure patches have occurred — and [were] exhaustively tested — to ensure vulnerabilities no longer exist that can result in complete takeover of the Control Server," he urges. "Don't use the product in its current state until confidence is reached."

For its part, ConnectWise dismissed a vulnerability — or chain of vulnerabilities — being at the heart of the Texas ransomware incident.

"[T]here are malicious actors who utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities, or phishing," the company said in its statement to Dark Reading. "Our understanding is that the Texas attacks were precipitated by a phishing attack that led to a user's credentials being compromised."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.