Managed service provider software vendor ConnectWise is seeing its remote monitoring and management (RMM) software hacked by criminals. There are reports of attempts to distribute ransomware to customers using the flaws.
Two vulnerabilities impact older versions of ScreenConnect, which have been mitigated in version 23.9.8 and later.
Cloud-hosted ScreenConnect implementations affected have been updated, but self-hosted versions require manual upgrading to mitigate risks, and reduce the threat to end customers.
Christopher Budd, director of Sophos X-Ops, said of the threats: “Anyone with ConnectWise ScreenConnect 23.9.8 should take immediate steps to patch these systems. If they cannot patch immediately, they should take steps to remove them from the internet until they can patch.
“Users should also check for any indications of possible compromise given the speed with which attacks have followed these patches.”
He added: “The pairing of an exploitable vulnerability with external remote services is a significant factor in real-world attacks. External remote services are the number one initial access technique. ConnectWise customers need to take immediate action to protect themselves.”
ConnectWise said of the threat, before news broke of actual hacks in the wild: “Our team has been working around the clock to ensure protection from the issues affecting the latest ConnectWise ScreenConnect vulnerability, that was responsibly reported to us through our vulnerability disclosure process [on 13 February, 2024].
“Immediate action must be taken by on-premise partners to address these identified security risks. It is strongly recommended not to wait for a maintenance window to patch, but immediately update the latest ScreenConnnect version 23.9.8.”
