Huntress On ‘Critical’ ConnectWise Vulnerabilities: ‘It Does Have A Certain Firestorm Potential’

'Once, at some point, if the threat actors figure it out that's when it'll be a very, very bad day. And that's not right now but I think once it's in the wrong hands, whether that's a week or two weeks, it does have a certain firestorm potential,' says John Hammond, principal security researcher at threat hunting firm Huntress.

John Hammond said he doesn’t normally get a chance to talk with so much severity and gravity about vulnerabilities, “but this one is bad.”

Hammond, principal security researcher at threat hunting firm Huntress, is talking about the latest cybersecurity threat impacting ConnectWise partners. Critical vulnerabilities were found in ConnectWise’s ScreenConnect tool on Monday impacting MSPs using ScreenConnect both on-prem and in the cloud.

Vulnerabilities were reported on February 13 through Tampa, Fla.-based ConnectWise’s vulnerabilities disclosure channel via the ConnectWise Trust Center, according to the vendor security bulletin.

MSPs were notified of the vulnerabilities on Monday and given instructions to update on-prem servers immediately. ConnectWise has patched all cloud environments.

There is no evidence that the vulnerabilities have been exploited, but immediate action must be taken by on-premise partners to address any identified security risks as the critical vulnerabilities could allow the ability to execute remote code or directly impact confidential data or critical systems.

“This would be the one that we're all saying you need to patch immediately,” Hammond said.

Many MSPs are saying that it could get worse in the coming days and weeks, “But maybe this is one that we shouldn't talk about yet because it's a little too dangerous, a little too risky,” Hammond said.

“Once, at some point, if the threat actors figure it out that's when it'll be a very, very bad day,” he said. “And that's not right now but I think once it's in the wrong hands, whether that's a week or two weeks, it does have a certain firestorm potential.

“We're a little bit tight-lipped too and we acknowledge that, but we don't want that to be in the hands of threat actors,” he added.

It has the potential of a “point and shoot” attack where it’ll compromise the ScreenConnect server which means hackers can control the remote monitoring and management software that has other agents, connected clients and endpoints, he said.

“It's important that folks keep up with good cyber hygiene,” Patrick Beggs, CISO for ConnectWise, told CRN. “With any vulnerability that can be exploited, if you're not patched it can be a threat. As a software company we want to maintain your hygiene [and have a] security first mentality.”

ConnectWise has mitigated about 80 percent of the ScreenConnect population, according to Ciaran Chu, general manager of ConnectWise ScreenConnect. The vendor also backdated upgrade patches for the last 20 releases.

“Our crucial communication is for the on-prem partner base because obviously they're the guys that are updating their versions and patching themselves, whereas in the cloud we obviously do it for them,” Chu told CRN. “We've mitigated the majority of our customer base at this point but we're not going to rest until all of our customers are mitigated.”

He said ConnectWise is running reports every hour to see how many on-prem partners are upgrading and then continuously reaching out to those who have yet to do so.

“I think the importance is to patch and work with us on that,” Chu said. “We obviously want to keep all of our partners safe and allow them to focus on their business. So ultimately, by us being proactive and working with reports and vulnerabilities and making sure there's remediation in place, we want to get everybody safe as quick as possible.”

Beggs said ConnectWise also contacted the Cybersecurity and Infrastructure Security Agency (CISA) on Monday and is working closely with that agency to bring awareness to the vulnerabilities.

Marc Menzies, president and CTO at Ronkonkoma, New York-based Overview Technology Solutions, is an on-prem ScreenConnect partner and originally thought, “Not again” when he was notified about the vulnerabilities.

He immediately updated his servers and saw how the community came together to help those who were vulnerable.

“The bulletin that ConnectWise gave was accurate, the patch they had was easy to install and there was very little downtime on our end,” he told CRN. “It was very easy to fix. It’s how things you should go: problem identified, community engaged and I worked with my team on getting that resolved.”

Jason Slagle, president of CNWR, a Toledo, Ohio-based MSP, was also affected and immediately went into remediation mode.

“It’s always patch first, ask questions later when you see something that severe,” he told CRN. “It isn’t going to take long for somebody to actually exploit it.”

Whenever a vulnerability gets exploited, it leaves a bad mark on the industry while many are trying to do the right thing, he said.

“I think the likelihood of exploitation in two weeks is very high, it’s thousands of potentially vulnerable servers,” he said. “And a bad day is a bad day for all of us.”