Eight Flaws in MSP Software Highlight Potential Ransomware Vector

An attack chain of vulnerabilities in ConnectWises software for MSPs has similarities to some of the details of the August attack on Texas local and state agencies.

Eight vulnerabilities in ConnectWises software for managed service providers (MSPs) purportedly allows attackers to silently execute code on any desktop managed by the application, an exploit chain with details similar to last Augusts coordinated attacks on Texas government agencies, security consultancy Bishop Fox said in an advisory today.
Individually, the vulnerabilities are mostly not severe, with only one — a cross-site request forgery (CSRF) flaw — deemed critical. Together, however, the eight issues — six of which are assigned Common Vulnerability Enumeration (CVE) identifiers — could have been combined to create an attack chain that could compromise a ConnectWise Control server and, from there, any attached clients, Bishop Fox stated.
An attacker that exploits the full attack chain can achieve unauthenticated remote code execution, resulting in compromise of the ConnectWise Control Server and ultimately the endpoint it has been installed on, says Daniel Wood, the associate vice president of consulting for Bishop Fox. This would provide full control over the vulnerable endpoint.
The company and a third party confirmed the vulnerabilities and found that ConnectWise had patched some of the issues in the fall with little to no notice. The attack chain has similarities to some of the reported details of the August attack on Texas local and state agencies, Wood
said in the published advisory
.
Multifactor authentication, for example, would likely not have helped the Texas agencies,
according to press reports
. Bishop Fox confirmed that multifactor authentication would not help against the attack chain proposed in its advisory, either.
This is not proof that the vulnerabilities we discovered were used in the incident, Wood said. What we can say is that nothing we have read about the Texas ransomware attack so far rules out the possibility that these vulnerabilities were involved.
In a statement sent to Dark Reading, ConnectWise refuted the findings, stressing that it takes the security of its products seriously.
Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual, the company stated. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.
In the statement, ConnectWise acknowledged that it had fixed six of the eight issues. We appreciated the insights and based on [Bishop Foxs] report, we did our own internal research and evaluation and addressed the points they raised in their review, the company wrote. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.
This is not the first time ransomware attackers infiltrated a company through ConnectWises products and services. In November 2017, a vulnerability researcher found an issue in ConnectWises plug-in for Kaseyas network monitoring system and posted an exploit to GitHub. Attackers later used that vulnerability to
compromise more than 1,500 systems and install ransomware
, demanding a $2.6 million ransom from the managed service provider.
In August, a coordinated ransomware attack scrambled data at 22 local and state agencies in Texas. Subsequent
press reports
indicated that the attacker had used a vulnerable installation of ConnectWise software to infect the governmental agencies.
Matt Hamilton, a former senior security analyst at Bishop Fox, discovered the latest vulnerabilities in mid-September. While the initial contact with ConnectWise proceeded quickly, the software maker stopped responding a week later, Bishop Fox stated.
ConnectWise CISO John Ford asserted that the Bishop Fox findings did not affect on-premise solutions and stated that these vulnerabilities are not exploitable because ConnectWise was unable to reproduce them using the steps that Bishop Fox provided them, Bishop Foxs Wood stated in the advisory. Additionally, Mr. Ford raised the threat of a defamation lawsuit. But Bishop Fox’s research found vulnerabilities that do, in fact, impact on-premise installations.
Huntress Labs, an MSP security provider, is conducting an analysis and verification effort at the request of Bishop Fox. Huntress Labs found that ConnectWise had patched or otherwise mitigated two of the issues, including the most critical vulnerability, partially mitigated two other flaws, and left three issues unmitigated. The testing, which is ongoing, has not yet determined the status of the eighth issue, the security provider
stated in a blog post
.
Companies, especially those serving less technical markets, need to be transparent and upfront with their customers, Bishop Foxs Wood says.
The best thing a company can do is to create an easy-to-use and secure mechanism for researchers to report vulnerabilities that go to their engineering and development teams, where they can be analyzed and confirmed, he says. Once that occurs, they can be prioritized for remediation activities based upon the companies organizational practices.
Because of the danger that such vulnerabilities post, ConnectWises current clients should request clarity on the issues, Wood adds.
Follow up with ConnectWise support to ensure patches have occurred — and [were] exhaustively tested — to ensure vulnerabilities no longer exist that can result in complete takeover of the Control Server, he urges. Dont use the product in its current state until confidence is reached.
For its part, ConnectWise dismissed a vulnerability — or chain of vulnerabilities — being at the heart of the Texas ransomware incident.
[T]here are malicious actors who utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities, or phishing, the company said in its statement to Dark Reading. Our understanding is that the Texas attacks were precipitated by a phishing attack that led to a users credentials being compromised.
Related Content:
Texas Refuses to Pay $2.5M in Massive Ransomware Attack
Texas Towns Recover, but Local Governments Have Little Hope for Respite from Ransomware
Towns Across Texas Hit in Coordinated Ransomware Attack
Customers of 3 MSPs Hit in Ransomware Attacks
Ransomware Attack Via MSP Locks Customers Out of Systems

Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem
.

Last News
▸ Google increases bug bounty rewards. ◂ Discovered: 26/12/2024 Category: security	▸ Microsoft and FBI shut down thousands of Citadel Botnets. ◂ Discovered: 26/12/2024 Category: security	▸ China accuses America of hacking them as well. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Eight Flaws in MSP Software Highlight Potential Ransomware Vector