MSP TODAY NEWS

Managed IT Experts Weigh-In On ConnectWise Cybersecurity Flaw

By Special Guest
Stuart R. Crawford



A recent cybersecurity alert issued by a major IT software organization had a chilling effect on manage service providers.

ConnectWise, the 38-year-old software outfit widely considered a “dominant force” in the industry, may not be a household name outside technology circles. But there’s a significant possibility that the professionals contracted to manage corporate IT are using ConnectWise products. That means flaws in the foundational software can create wide-reaching cybersecurity gaps.

“We are on high alert. Last week we saw a report of another MSP partner with indicators of compromise in their system, then this week a formal acknowledgment from ConnectWise has the whole community looking over their systems,” Steve King of Intelice Solutions reportedly said. “Groups like MSP Geek (mspgeek.com) have been critical in staying ahead of this news, with their Slack channel serving as a rallying point for hundreds of peers in the same situation.”

What Industry Leaders Need to Know About ConnectWise Vulnerability

Non-technology professionals need not understand the subtle insider details about how a problem with ConnectWise software can impact their seemingly unrelated business. In laymen’s terms, if a ConnectWise product can be used to deliver malicious software and your in-house or third-party specialist uses one or more items, that opens the door to penetrate your system.

One way to understand breaches via software is that they act somewhat like a backdoor for cybercriminals to walk through and steal digital assets. Managed IT experts are on heightened alert over the recent vulnerability report because ConnectWise delivers popular Cloud-based products. The company has also suffered credibility issues after previously failing to provide prompt transparency, according to IT experts.

“The communication from CW has been better than in the past, but we get the feeling there are a lot of holes left to plug,” King reportedly said. “Skilled adversaries are aware of these RMM systems and there are signs this recent threat is already being scanned for, after reviewing connection logs from as recent as today.”

ConnectWise came under fire after IT outsourcing giant Wipro was reportedly breached through a ConnectWise Control. The breach impacted 23 employee accounts and penetrated more than 100 customer endpoint devices. In 2020, at least eight vulnerabilities have been reportedly detected that include the following.

  • Cross-Site Request Forgery
  • Cross-Site Scripting
  • Cross-Origin Resource Sharing Misconfiguration
  • Remote Code Execution
  • Information Disclosure
  • User Enumeration
  • Missing Security Headers
  • Insecure Cookie Scope

“Using the vulnerabilities documented in this disclosure, it was possible to create an attack chain that begins with coercing a SaaS user to visit an attacker-controlled website and ends with the complete takeover of the victim's ConnectWise Control instance. This includes the ability to execute arbitrary code on the Control server as well as the ability to connect to any client machine connected to the victim's Control instance,” according to a security advisor.

ConnectWise Improves Transparency, Delivers Solution

Although industry leaders may be taken aback by what appears to be subpar software, managed IT experts generally agree that no product is immune to emerging threats. Users receive ongoing updates and patches to close gaps as they are revealed. The fact that ConnectWise has been forthcoming about this issue and offers quick solutions has been cause for measured confidence.

“It’s a step in the right direction that a private bug bounty program is in place, but that effort needs to bear fruit and not just be for show,” King reportedly said.

ConnectWise recently reported a pair of attempts to breach its on-premises Automate accounts. The software outfit sent out an alert to update and leverage multi-factor authentication security.

“Multi-Factor Authentication (MFA) is enabled by default in versions 2020.1 and higher for users logging in with local credentials,” Adam Rippon of Sydney Technology Solutions reportedly advised. “Before upgrading to version 2020.1 or later, email settings must be configured, and each user must have a unique and valid email address entered in their user profile. For more information, refer to Multi-Factor Authentication for Automate.”

To prepare to make this change, Rippon suggests taking the following steps.

“Configure Email Settings for your system. If you have not previously configured these settings because you are concerned about receiving too many notifications or are using a PSA integration, please refer to Control Ticket Messages for information on silencing notifications by turning off ticket messaging,” Rippon reportedly said. Go to “Navigate to System > Users and Contacts > Users and ensure that all users in your system have a unique and valid email address entered in their user profile.”

If your organization has invested in a Cloud-based footprint, business leaders may want to consider communicating with their managed IT specialist about the use of ConnectWise products and potential cybersecurity vulnerabilities. It’s critical to have the best defense possible to protect your digital assets and be able to sleep easy.



Related Articles

Ireland's Welltel to Boost Managed Services Offering with Acquisition of Novi

By: Tracey E. Schelmetic    7/10/2020

Welltel, an Irish end-to-end communications provider, announced last week that it has acquired Kildare, Ireland-based IT service provider Novi. The go…

Read More

MSP CEOs Reidentifying Themselves

By: Special Guest    7/9/2020

The term CEO, which stands for Chief Executive Officer, is commonly used by executives who run large companies. However, many business owners and entr…

Read More

Nickel Advisors Discusses The Benefits Of Online Financial Tools?

By: Special Guest    7/8/2020

With so many advancements in technology, it's no wonder more people are turning to apps and websites to help with their daily lives. Using online fina…

Read More

Louisiana Now Requires MSPs Serving Government to Register: Here's Why It's a Great Idea!

By: Special Guest    7/8/2020

Though managed service provider registration has been discussed, it's only recently come into play. Louisiana Act 117 was recently signed into law to …

Read More

QuestBlue Signs on as a Platinum Sponsor for MSP Expo 2021, #TECHSUPERSHOW

By: TMC    7/7/2020

TMC today announced QuestBlue has signed on a Platinum sponsor for MSP Expo (part of #TECHSUPERSHOW), being held February 9 - 12, 2021 at the Miami Be…

Read More