[ad_1]
Huntress’ CEO said, ‘I can’t screw it up – this thing is bad.’
security expert It is “trivial and embarrassingly easy” to exploit a high-risk vulnerability in a widely used remote access tool, it has warned, as the software’s developer confirmed that malicious hackers are actively exploiting the flaw. Are picking up.
The maximum severity-rated vulnerability affects ConnectWise ScreenConnect (formerly ConnectWise Control), a popular remote access software that allows managed IT providers and technicians to provide remote technical support in real-time on customer systems.
The flaw is described as an authentication bypass vulnerability that could allow an attacker to remotely steal confidential data from a vulnerable server or deploy malicious code such as malware. The vulnerability was first reported to ConnectWise and the company on February 13. Details of the bug were publicly disclosed in a security advisory. Published on 19 February.
ConnectWise initially said there was no sign of public exploitation, but in an update Tuesday it said ConnectWise confirmed it had “received updates of compromised accounts that our incident response team is investigating and confirming.” Is capable of.”
The company also shared three IP addresses that it says were “recently used by threat actors.”
When asked by TechCrunch, ConnectWise spokesperson Amanda Lee declined to say how many customers were affected, but noted that ConnectWise has seen “limited reports” of suspected intrusions. Lee said 80% of customer environments are cloud-based and automatically patched within 48 hours.
Asked whether ConnectWise knew of any data exfiltration or whether it had the means to detect if any data was accessed, Lee said, “We have not been informed of any data exfiltration.”
Florida-based ConnectWise provides its remote access technology to more than one million small to medium-sized businesses, its website says.
Cyber security company Huntress on Wednesday published an analysis Actively exploited ConnectWise vulnerability. Huntress security researcher John Hammond told TechCrunch that Huntress is aware of “current and active” exploits, and is seeing early signs of threat actors moving toward “more focused post-exploitation mechanisms.”
“We are seeing that adversaries are already deploying Cobalt Strike beacons and even installing a ScreenConnect client on affected servers,” Hammond said, referring to the popular exploit framework Cobalt Strike, whose Used for testing by security researchers and misused by malicious hackers. network. “We can expect more of these agreements in the near future.”
Huntress CEO Kyle Hanslovan said Huntress’s own customer telemetry shows visibility into more than 1,600 vulnerable servers.
“I can’t sugarcoat it — this thing is bad. We’re talking about over ten thousand servers controlling hundreds of thousands of endpoints,” Hanslovan told TechCrunch, noting that more than 8,800 ConnectWise Servers are vulnerable to exploits.
“The widespread dissemination of this software and the reach provided by this vulnerability signals that we are at the pinnacle of a ransomware free-for-all,” Hanslovan said.
ConnectWise has released a patch for the actively exploited vulnerability and is urging on-premises ScreenConnect users to apply the fix immediately. ConnectWise also released a fix for a separate vulnerability affecting its remote desktop software. Lee told TechCrunch that the company has found no evidence that the flaw has been exploited.
Earlier this year, US government agencies CISA and the National Security Agency caution They observed a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” to target multiple federal civilian executive branch agencies – including ConnectWise SecureConnect.
US agencies also observed hackers abusing remote access software from AnyDesk, which was forced to reset passwords and revoke certificates earlier this month. find evidence Compromised production systems.
In response to TechCrunch’s inquiry, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said: “CISA is aware of a reported vulnerability affecting ConnectWise ScreenConnect and we are fully aware of the potential exploit to provide necessary guidance and support. Working to understand.”
Are you affected by the ConnectWise vulnerability? You can contact Carly Page securely on Signal at +441536 853968 or by email. [email protected], You can also contact TechCrunch SecureDrop,
[ad_2]
Thanks For Reading