ScreenConnect Vulnerability Exploited – IT Companies are Being Targeted

ConnectWise is addressing a critical vulnerability discovered in ConnectWise ScreenConnect, its remote desktop and access software that enables MSP techs to directly access a user’s computer. The company has been alerting all MSPs using on-prem versions of the software to update it immediately.

ScreenConnect Vulnerabilities

ConnectWise disclosed two critical vulnerabilities in ScreenConnect versions 23.9.7 and earlier on February 19, 2024. These vulnerabilities allow attackers to:

• CWE-288 Authentication Bypass (Severity 10): This vulnerability enables attackers to bypass authentication mechanisms, potentially allowing them to gain unauthorized access to confidential data or execute arbitrary code on vulnerable servers. Its critical severity stems from the potential for exploitation and its impact on affected systems.
• CWE-22 Path Traversal (Severity 8.4): This vulnerability involves improper limitation of a pathname to a restricted directory, commonly known as "path traversal." Attackers with high privileges can exploit this flaw to access files and directories outside the intended directory structure, potentially leading to unauthorized disclosure of sensitive information or further compromise of the system.

What Makes This Concerning for IT Companies?

As Managed Service Providers (MSPs) rely heavily on ScreenConnect for remote access and support, these vulnerabilities create a significant attack vector. Exploiting these vulnerabilities could allow attackers to:

• Gain access to sensitive client data: This includes financial information, customer records, and confidential communication.
• Deploy ransomware or malware: Encrypting or corrupting critical data, leading to significant downtime and financial losses.
• Move laterally across client networks: Compromise multiple systems and escalate privileges, causing widespread damage.

My Business Uses an MSP, What Steps Do I Need to Take?

Please ask your IT Support Company to review this message and take the following steps:

1. If your IT Support Company is using ScreenConnect, confirm in writing that their servers have been patched to address this vulnerability.
2. If you have ScreenConnect software installed on computers and are NOT using it, have your IT Support Company uninstall it immediately.
3. Use your remote management tool to search for any instances of ScreenConnect, to make sure there are no legacy applications from previous IT vendors. Remove any unnecessary ScreenConnect applications (or any other screen sharing applications) IMMEDIATELY.
   
4. For ScreenConnect users, updating all agents to the latest software version following the recommended upgrade path is crucial to maintaining optimal system security and performance.

ConnectWise's Actions to Address the Vulnerability

According to ConnectWise, within 36 hours of confirming the vulnerability, the company applied a manual mitigation for all Cloud partners (ScreenConnect, RMM AND Automate/Hosted RMM). Completing this action meant that all Cloud partners were protected by February 16th without requiring ConnectWise to do a version update, meaning it would not reflect a version change for users.

Additionally, ConnectWise began upgrading all ScreenConnect and Automate/Hosted RMM Cloud partners to the latest 23.9 version. No further action is required from cloud partners using “screenconnect.com” cloud and “hostedrmm.com” instances.

What Should MSPs Do?

MSPs need to take immediate action to address these vulnerabilities:

• Patch immediately: Update all ScreenConnect servers to version 23.9.8 or later as soon as possible. ConnectWise has removed license restrictions for this update, ensuring everyone can access it.
• Verify patch application: Confirm that the patch has been applied successfully on all affected servers.
• Change passwords: Reset credentials for all ScreenConnect accounts, especially those with administrative privileges.
• Review security protocols: Review and if needed implement multi-factor authentication (MFA) and strong password policies for all accounts.
• Inform your clients: Communicate the vulnerability and the steps you've taken to mitigate their risk as well as yours.

A Huge Reminder About Cyber Risks

This serves as an excellent reminder for us all; that we must stay vigilant for cyber risks from not only our primary software providers but also, we need to verify that other third parties that we may allow access to our infrastructure are following appropriate cybersecurity practices as well.

There are many cybersecurity news outlets distributing information about this incident. Sadly, there are numerous reports that servers that went unpatched for as little as 36 hours have already been compromised, reiterating the need to make sure third parties remain ultra-diligent to keep our cyber infrastructure safe.

Remember, cybersecurity is not a one-time event; it's an ongoing process that requires continuous awareness and adaptation.

The latest security bulletin from ConnectWise can be found here: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8.

Teknologize is a SOC 2 accredited, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

• Tri-Cities, Washington 509.396.6640
• Yakima, Washington 509.396.6640
• Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!