Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:30 PM

Eight Flaws in MSP Software Highlight Potential Ransomware Vector

An attack chain of vulnerabilities in ConnectWise's software for MSPs has similarities to some of the details of the August attack on Texas local and state agencies.

Eight vulnerabilities in ConnectWise's software for managed service providers (MSPs) purportedly allows attackers to silently execute code on any desktop managed by the application, an exploit chain with details similar to last August's coordinated attacks on Texas government agencies, security consultancy Bishop Fox said in an advisory today.

Individually, the vulnerabilities are mostly not severe, with only one — a cross-site request forgery (CSRF) flaw — deemed critical. Together, however, the eight issues — six of which are assigned Common Vulnerability Enumeration (CVE) identifiers — could have been combined to create an attack chain that could compromise a ConnectWise Control server and, from there, any attached clients, Bishop Fox stated.

"An attacker that exploits the full attack chain can achieve unauthenticated remote code execution, resulting in compromise of the ConnectWise Control Server and ultimately the endpoint it has been installed on," says Daniel Wood, the associate vice president of consulting for Bishop Fox. "This would provide full control over the vulnerable endpoint."

The company and a third party confirmed the vulnerabilities and found that ConnectWise had patched some of the issues in the fall with little to no notice. The attack chain has similarities to some of the reported details of the August attack on Texas local and state agencies, Wood said in the published advisory

Multifactor authentication, for example, would likely not have helped the Texas agencies, according to press reports. Bishop Fox confirmed that multifactor authentication would not help against the attack chain proposed in its advisory, either.

"This is not proof that the vulnerabilities we discovered were used in the incident," Wood said. "What we can say is that nothing we have read about the Texas ransomware attack so far rules out the possibility that these vulnerabilities were involved."

In a statement sent to Dark Reading, ConnectWise refuted the findings, stressing that it takes the security of its products seriously.

"Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual," the company stated. "In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities."

In the statement, ConnectWise acknowledged that it had fixed six of the eight issues. "We appreciated the insights and based on [Bishop Fox's] report, we did our own internal research and evaluation and addressed the points they raised in their review," the company wrote. "With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019."

This is not the first time ransomware attackers infiltrated a company through ConnectWise's products and services. In November 2017, a vulnerability researcher found an issue in ConnectWise's plug-in for Kaseya's network monitoring system and posted an exploit to GitHub. Attackers later used that vulnerability to compromise more than 1,500 systems and install ransomware, demanding a $2.6 million ransom from the managed service provider. 

In August, a coordinated ransomware attack scrambled data at 22 local and state agencies in Texas. Subsequent press reports indicated that the attacker had used a vulnerable installation of ConnectWise software to infect the governmental agencies.

Matt Hamilton, a former senior security analyst at Bishop Fox, discovered the latest vulnerabilities in mid-September. While the initial contact with ConnectWise proceeded quickly, the software maker stopped responding a week later, Bishop Fox stated.

"ConnectWise CISO John Ford asserted that the Bishop Fox findings did not affect on-premise solutions and stated that these vulnerabilities are not exploitable because ConnectWise was unable to reproduce them using the steps that Bishop Fox provided them," Bishop Fox's Wood stated in the advisory. "Additionally, Mr. Ford raised the threat of a defamation lawsuit. But Bishop Fox’s research found vulnerabilities that do, in fact, impact on-premise installations."

Huntress Labs, an MSP security provider, is conducting an analysis and verification effort at the request of Bishop Fox. Huntress Labs found that ConnectWise had patched or otherwise mitigated two of the issues, including the most critical vulnerability, partially mitigated two other flaws, and left three issues unmitigated. The testing, which is ongoing, has not yet determined the status of the eighth issue, the security provider stated in a blog post.

Companies, especially those serving less technical markets, need to be transparent and upfront with their customers, Bishop Fox's Wood says.

"The best thing a company can do is to create an easy-to-use and secure mechanism for researchers to report vulnerabilities that go to their engineering and development teams, where they can be analyzed and confirmed," he says. "Once that occurs, they can be prioritized for remediation activities based upon the companies organizational practices."

Because of the danger that such vulnerabilities post, ConnectWise's current clients should request clarity on the issues, Wood adds.

"Follow up with ConnectWise support to ensure patches have occurred — and [were] exhaustively tested — to ensure vulnerabilities no longer exist that can result in complete takeover of the Control Server," he urges. "Don't use the product in its current state until confidence is reached."

For its part, ConnectWise dismissed a vulnerability — or chain of vulnerabilities — being at the heart of the Texas ransomware incident.

"[T]here are malicious actors who utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities, or phishing," the company said in its statement to Dark Reading. "Our understanding is that the Texas attacks were precipitated by a phishing attack that led to a user's credentials being compromised."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.