ConnectWise warns of ongoing ransomware attacks targeting its customers
ConnectWise, a Florida-based company that provides remote IT management solutions, is warning customers that hackers are targeting its software to gain access to client networks and install ransomware.
ConnectWise Automate is a software package that lets IT admins manage a company's computer fleet and other IT assets from a central location. It's a classic remote access/management solution that many large companies use when they have assets spread across a large number of locations.
The software is available in a cloud-based offering, but also as on-premise servers, for more secure setups.
In a security alert sent out this week, ConnectWise said hackers are targeting on-premise Automate systems so they can take over servers and then deploy ransomware across a company's entire computer fleet.
"There are recent reports of malicious actors targeting open ports for [ConnectWise] Automate's on-premises application to introduce ransomware," a ConnectWise spokesperson told ZDNet in an email today.
The company is recommending that customers visit a support page and follow the steps laid out there to secure on-premise Automate installations and prevent attacks. These steps involve closing Automate ports exposed on the internet.
But despite being open about the attacks, the company's alert did not include any useful technical details. Some customers who received it were confused and wanted to know more -- such as the actual ports hackers were attacking, or the type of exploits they are using.
Any more detail? What ports are targeted?
— BradVido (@BradVido) November 7, 2019
How about a little more detail...what ports are being targeted? Have already opened a ticket asking the same question.
— Tom Scott (@twscottiii) November 7, 2019
Furthermore, as one user also pointed out, the support page also appears to contradict itself in some places, telling customers to open a port and then close it.
That exact document you are linking to STILL says to open up a boatload of ports, and in a single sentence says to open up 3306 and later says not to, while not saying if TCP/UDP either... It's frankly not clear and some would open up everything in that doc I bet.
— Brian Martin (@exr90) November 8, 2019
ZDNet asked ConnectWise for additional details about the attacks, but the company did not respond.
If customers would know what ports the attackers are targeting, the types of attacks hackers are launching, or what type of ransomware hackers are trying to install, this would help many companies take preventive measures.
For example, they could temporarily close attacked ports, forcibly-enable MFA for users to prevent brute-force attacks on user accounts, or they could deploy "ransomware vaccines" that prevent the ransomware from running even if attackers get in.
ConnectWise should have been prepared to deal with this type of incident. This is the second time this year that hackers have targeted its software to break into customer networks and deploy ransomware. In February this year, a hacker group exploited an outdated plugin for ConnectWise Manage to deploy versions of the GandCrab ransomware on the networks of more than 100 companies.
On its website, ConnectWise claims that more than 100,000 IT professionals have used its software.