ConnectWise Security: Public Service Announcement

10/31/2020

Vulnerability Details:

In light of the upcoming elections and recent cyber-attacks on health care systems, there have been reported increases in cyber-attacks on MSPs with attackers seeking to obtain MSP credentials to ConnectWise and competitive products by exploiting weaknesses in MSP’s security protocols and infrastructures.

We are aware of active threats using attack methods to compromise credentials and, as always, the safety and security of our partners is of the highest priority. We are issuing this public service announcement to encourage our partners, and all MSPs in our industry, to review their systems for the following to best ensure the security of their data and the data of their end customers:

General Security Best Practices

• Review the running processes on all Domain Controllers to ensure that no unexpected processes are running. Attackers are using PowerShell scripts on Domain Controllers with the flag "--hidden" in order to avoid detection by the MSP.

• Enable two-factor authentication (2FA/MFA) on all accounts to include email accounts.

• Check for the presence of the tools Cobalt Strike and Mimikatz. These tools are being utilized by ransomware actors to harvest credentials and gain a persistence on a network.

• If unusual PowerShell activity has been observed or unexpected tools installed, it is critical that all user passwords are reset after the successful removal of the tools.

• If possible, block all traffic to pastebin.com as it is a known site for malware.

Select Security Best Practices & Tips for ConnectWise Products

• In addition to MFA, we recommend restricting access to admin pages by IP, employing complex passwords and changing them regularly, and conducting regular account audits.

• Block access to RDP and similar remote access services from the Internet.

• For our ConnectWise Control partners, regularly audit the Toolbox directory to ensure there are no unexpected files within "C:\Program Files (x86)\ScreenConnect\App_Data\Toolbox".

For more tips and specific guidance on Security practices for MSPs, please visit the Security Journey on the ConnectWise University

We strongly encourage our partners and all MSP’s to review their security measures and implement the suggestions above. We also suggest that you regularly visit our Trust Site for more information and the latest updates to regularly stay current on the latest MSP security information.

Thank you for your time and attention to this important matter.

Stay safe,
ConnectWise InfoSec Team