Ongoing Ransomware attacks on ConnectWise Automate Threatening the Normal Business Activities
If you are in the space of managing mobile devices and operating systems, you probably are familiar with solutions like Microsoft Intune or ConnectWise Automate. ConnectWise Automate (Formerly LabTech) is a cloud-based and on-premise IT automation solution that assists companies in tracking and managing IT assets from a single location. Content management features allow users to share documents and publish content on their websites. Similarly, Microsoft Intune helps to ensure all your company-owned and bring-your-own (BYO) devices are managed and always up to date with the most flexible control over any Apple, Windows, and Android devices.
ConnectWise Automate uses ConnectWise Control for connections, which it uses end-to-end 256-bit SSL encryption and two-factor authentication. You can provide single sign-on access to hosts for one-time use and then lock a remote client upon host disconnect. However, on June 10, 2020, the company at ConnectWise Automate disclosed a vulnerability in an API used by ConnectWise Automate that could allow a remote user to execute modifications within an individual Automate instance. This flaw in ConnectWise Automate API affects on-premise and cloud base versions of the product. The hotfixes and guidance were quickly issued. Each affected and vulnerable partner was reached for asking them to apply the patch to eliminate the vulnerability. Due to these vulnerabilities, hackers are trying to break into on-premise ConnectWise Automate Systems and install ransomware on customer networks. All ConnectWise Automate customers now should immediately visit the support page and follow the steps laid out there to secure on-premise Automate installations and prevent attacks since these critical steps will help closing Automate ports exposed on the internet.
Some claim that the information is not sufficient because they do not have the information about the behaviors of the attackers, such as what ports are targeting, the type of attack, and the type of ransomware. Unknown to the nature of the attack, users felt uncomfortable about remedy the situation.
From our research, it seems that there were several incidents in the past. One of the incidents was targeted at the outdated plugin for ConnectWise Manage, which affected more than one hundred companies. ConnectWise has continued to look for possible vulnerabilities, and hire white hat hackers to uncover the potential flaws and patch the vulnerability before it happens. In February of this year, their ConnectWise product passed an independent security (SOC 2 Type 2) audit after conducting penetration tests.