Multiple ConnectWise partners have had their customers hit with ransomware through a software flaw that the company revealed last week with one having several end users compromised, according to a source who spoke on condition of anonymity.
Tampa, Fla.-based ConnectWise confirmed that the vulnerability in ConnectWise Automate – which the company announced itself on June 10 using a new site meant to give partners up-to-the-minute security bulletins – was successfully used against some of the 20,000 partners on its platform.
The source said there was an MSP encrypted in mid-May using this vulnerability, which is what prompted the company to release the hotfix and notify users.
“We have confirmed that a small number of partners have been compromised,” ConnectWise told CRN Thursday evening. “We are communicating with each of them to determine the nature and severity of the impact. We are also actively communicating with our on-premises partners who have not yet installed the hotfixes and walking them through the steps to do so.”
Meanwhile security experts told CRN that the flaw ConnectWise disclosed had other vectors of attack so while the patch ConnectWise pushed out did fix one point of entry, at least one other method of exploiting the flaw remained. ConnectWise acknowledged that it is also looking at that as well.
“The hotfixes and guidance communicated to date directly address the risk that was identified and disclosed in the security bulletins posted from June 10 to 13,” the company said in a statement to CRN this week. “We are also actively vetting a separate responsibly disclosed issue.”
Kyle Hanslovan, CEO of Huntress, a provider of cyber threat monitoring to MSPs, said it looks as if hackers are using this flaw to gather server passwords from the unpatched instances of ConnectWise Automate.
“If you are not patched they can gather that password,” he said. “Since there is no way to change that password, if a new vulnerability comes out, and someone has gathered your password, that’s where the danger is.”
Hanslovan praised ConnectWise for announcing the flaw and immediately releasing a hotfix. On his end, he said Huntress created a tool internally to find all of its partners who used Automate, and determined which ones were not fully patched.
“We discovered that about 10 percent of that audience were not patched and were still vulnerable,” he said. “So no joke, my team called until 4 a.m. on that Saturday until we reached every single MSP, sending emails, opening tickets, because the vulnerability is being actively exploited in the wild.”
Jason Slagle, vice president of technology at CNWR Inc., an MSP based in Toledo, Ohio who is both a ConnectWise and Huntress partner, said ConnectWise is taking this threat seriously.
“I have commitment from the product manager that he has the best developer that they have working on it,” he said. “I sent him a couple spots where I was concerned. I made a couple general recommendations security wise. He assured me he’s got their best developers working on it.”
ConnectWise said it is creating more ways to keep partners abreast of the latest security developments with its products.
“We are in the process of launching our RSS feed to create additional communications channels to update partners about security bulletins and associated mitigation or remediation steps,” the company said in a statement to CRN. “We intend to have the RSS feed live by end of Q2 as announced in March of this year.”
Slagel said the company would also do well to listen to its community of MSPs who have called for a bug bounty program to be implemented. ConnectWise Director of Information Security Tom Greco told CRN in March that the company would be rolling out a bug bounty program this year. However Slagel – who has a security background -- said when he approached ConnectWise about this last week, he was told they have no such program.
“They need to pay bug bounties. Somebody is willing to pay for those vulnerabilities. I’m a good actor. I’m a white hat. I have a vested interest in making sure the bugs go to the people who can solve them. If I disclose them, I’ll responsibly disclose,” he said. “But if you get a grey hat or a black hat, they’re going to sell it on the Dark Web and we’re going to have dozens and dozens of partners who get their systems ransomed.”