- Connectwise notified customers about a state-sponsored attack
- A “small number” of ScreenConnect customers were affected
- The company triggered its incident response plan and brought in third party experts
ConnectWise has revealed it recently suffered a cyberattack, likely at the hands of a “sophisticated nation state actor.”
In a short announcement published on its website, the company said it recently learned of “suspicious activity” within its environment, which affected a “very small number” of ScreenConnect customers.
“We have launched an investigation with one of the leading forensic experts, Mandiant,” the announcement says. “We have contacted all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we implemented enhanced monitoring and hardening measures across our environment.”
You may like
Multiple attacks
Other than that, details are scarce. We don’t know which threat actor this is, how they managed to infiltrate ScreenConnect’s infrastructure, how long they dwelled, or what they were looking for.
We also don’t know exactly how many customers were affected, or in which industries they operate.
ScreenConnect did say that no further activity, “in any customer instances” were observed.
“The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”
In this context, The Hacker News reported that the company patched two security flaws in 2024, which were used “by both cybercrime and nation-state threat actors”, including those from China, North Korea, and Russia.
The two vulnerabilities are tracked as CVE-2024-1708, and CVE-2024-1709. It also said the company fixed a high severity vulnerability in ScreenConnect versions 25.2.3 and earlier, which could be exploited for ViewState code injection attacks using publicly disclosed ASP.NET machine keys. It doesn’t specifically state the criminals used these flaws in the attacks.
As a popular remote support and access solution, ScreenConnect is widely adopted by Managed Service Providers (MSPs), internal IT teams, and technology resellers.
Via The Hacker News
