ConnectWise Control Was Used By Bad Actors: Blackpoint Cyber
“We hate to see any software products used for malicious purposes, but unfortunately, remote control tools are used for this purpose all too frequently,” said ConnectWise Chief Product Officer Jeff Bishop in an email statement to CRN.
Security firm Blackpoint Cyber has issued a blog post warning that it has observed popular MSP remote control software from ConnectWise being deployed by bad actors in cyberattacks.
Use of the tool—ConnectWise Control – formerly known as ScreenConnect,—by bad actors points to a growing trend of hackers using unaltered enterprise-level software in attacks for a fraction of the cost of developing net new software, Blackpoint Cyber said in the post, which gave a detailed look at several cases it has been monitoring. The attackers used another RMM tool by Total Software Deployment to launch the initial attack, said Blackpoint Cyber.
“In each of the identified cases, Blackpoint observed that the first software package deployed by Total Software Deployment post breach was [an] enterprise capability often used by MSPs called ScreenConnect, also known as ConnectWise Control. The threat actors used this as a persistence mechanism to keep access to the network.” said Blackpoint Cyber. “Designed to offer help-desk-style services, this tool allows for full remote control of an endpoint.”
[RELATED: ThreatLocker Alert Warns Of Increased Ransomware Attacks Using MSP RMM Tools]
In an email response to CRN, ConnectWise Chief Product Officer Jeff Bishop wrote: “We hate to see any software products used for malicious purposes, but unfortunately, remote control tools are used for this purpose all too frequently. ConnectWise works diligently to prevent the misuse of our products through online training and educational material, and by implementing AI and machine learning to detect malicious actors that may be using Control to ‘scam’ end users.”
CRN reached out to Total Software Deployment but had not heard back at press time.
ConnectWise Control is among the most popular MSP tools, with at least 100,000 users managing millions of endpoints around the globe.
Bishop told CRN that when attacks “are detected or reported, we work with the appropriate authorities to assist them to take action against these malicious actors.”
“If a company or individual believes that ConnectWise Control was used in an exploit or their instance has been exploited,” Bishop encouraged them to report the details of the activity on its website.
The Blackpoint Cyber blog post notes that ConnectWise Control has “two main features appealing to threat actors.” One, “backstage mode,” allows “for complete access to the Windows Terminal and PowerShell without the logged-on user being aware. This is the primary use case observed by Blackpoint.”
Blackpoint Cyber said it has yet to see attackers using the second—a mass deployment feature—“in earnest.”
The blog post also singles out SoftPerfect Network Scanner as a tool to launch cyberattacks.
CRN reached out to T SoftPerfect Network Scanner but had not heard back at press time.
The Blackpoint Cyber alert points to the increased sophistication of bad actors using legitimate software to attack MSPs and their customers, said David Stinner, CEO of US itek, a Buffalo, N.Y.-based MSP. “The issue BlackPoint brings up is not unique to ConnectWise Control,” he said. “Any remote access application can be exploited the way BlackPoint described.”
In fact, Stinner said, a bad actor accessed his company’s remote control software just two weeks ago when an end user clicked on a website that socially engineered the user to call a phone number.
“While on the phone, the bad actors tried to install their remote access software to gain access to the PC, but it was blocked by our whitelisting,” said Stinner. “Being determined, they found out they were blocked by whitelisting [and] they identified which remote access software was whitelisted. Next they installed a copy of the software we use, and pointed it to their command and control servers, which compromises the protection of whitelisting.”
In the wake of the attack, US itek has implemented ringfencing to block hackers by “disallowing communication to any other remote access command and control server” beyond the US itek server.
US itek does not allow any other remote software to be used in its network or customer environments, said Mark Clift, vice president of information systems for US itek. What’s more, that remote software can only run and talk to the US itek server. “So, therefore, if somebody installs another version it is useless,” he said.
Threat researcher Huntress has seen “no evidence that there has been an uptick” in bad actors using ConnectWise Control to launch attacks, said Dray Agha, a threatOps analyst in the United Kingdom for Huntress. “From a Huntress perspective, this is actually a non-story,” he said. “I can only speak to the data that we have seen.”
In fact, Agha said to “blame” ConnectWise Control for a bad actor using the tool would be “unfair from our perspective because we don’t have the data to support there has been an uptick” in bad actors using the tool for malicious activity.
Huntress has also not seen any data that shows Total Software Deployment and SoftPerfect Network Scanner are being used increasingly by bad actors, said Agha.
As for practical advice for MSPs using RMMs, Agha said there has to be a “trade off” with regard to using tools like ConnectWise Control. “Just rescinding access to ScreenConnect (ConnectWise Control) doesn’t make sense,” he said. “You can’t blame them. It’s about following best practices and getting the basics right—actually monitoring what applications are allowed on machines. ... ScreenConnect is only going to get the threat actor in there, then they are going to do other malicious stuff. So are you monitoring for what is going to come after that?”
The Blackpoint Cyber blog postg came just one day after international and U.S. cybersecurity authorities said that they are aware of recent reports observing an increase in “malicious cyber activity targeting” MSPs and warned that they expect it to continue with stepped-up attacks on MSPs.
Besides the recent government warning, ThreatLocker issued a security alert on May 5 warning MSPs of a sharp increase in ransomware attacks using remote management tools.
In an interview with CRN, Blackpoint Cyber CEO Jon Murchison praised ConnectWise for quickly responding to the threat. “ConnectWise did a really good job and killed that account right away when we showed them,” he said. “We are not ‘throwing shade’ on them at all.”
In fact, Murchison said ConnectWise Control was “less impactful” in the malicious activity it observed than the use of Total Software Deployment and SoftPerfect Network Scanner.
“It was just one of the tools that was used,” said Murchison of the ConnectWise Control reference in the blog post. “You have got to realize, IT tools are great until some bad guy takes advantage of them … We are not singling out ConnectWise. In fact, ConnectWise did really good work. We share stuff with them when we need to, and they are always really responsive.”
The Blackpoint Cyber blog post also notes that bad actors are using free trial versions of RMM (remote management and monitoring) tools to launch attacks.
“ScreenConnect only requires the user to provide an email address, password and the name of their preferred ScreenConnect URL,” reads the Blackpoint Cyber blog. “[Total Software Deployment] and SoftPerfect Network Scanner simply allow for the download of the product without any checks. Sadly, there are no measures in place to easily identify when threat actors are using trial versions of software. Nevertheless, the capabilities employed by these actors can still be identified and remediated.”
In an email reply to CRN, ConnectWise’s Bishop said his company has “no information from partners or vendors to identify the account(s) in order to determine if it was a trial or a paid license.”
That said, ConnectWise had added machine learning and artificial intelligence to ConnectWise Control, whether free,trial or paid, to prevent malicious activity. “In addition, there are prompts to end clients that alert them that the technician is using a trial version of our product and that they should use caution,” he said.
Murchison told CRN that his company is definitely “seeing more use of free trials of RMM platforms being leveraged” by bad actors.
“So instead of putting down a malware backdoor, you put down another RMM agent and then the bad guy essentially leverages that to push his ransomware down because it is not going [get flagged].”
The managed detection and response provider has seen five or so cases over the last two and a half weeks where the bad actors were using free trials to launch attacks, said Murchison.
“The RMM companies need to have a lot more checks and balances on their free trial system—not just letting people [download them with no checks],” said Murchison. “I think a lot of the big ones do [provide checks on who is allowed to access a free trial version,] but there are some smaller ones that don’t and foreign ones [that don’t]. They need to make sure there is some sort of gate with the free trial. You [shouldn’t be able to] just sign up with a Gmail [address] or some made up account and get it. [The RMM companies] need to talk to people. You need to know you are dealing with a real human and not a bad guy.”
The Blackpoint Cyber scenario is yet another call for MSPs to double down on multifactor authentication (MFA), said US itek’s Clift. He pointed out that threat actors involved in the Blackpoint Cyber cases both used “valid stolen credentials” to gain access before leveraging the remote control software.
“This whole thing starts with compromised credentials,” he said. “When someone gets their credential compromised and you don’t have MFA you have just basically handed the threat actors the keys to the kingdom as it were. That happens every day. People put their user names and passwords on pop ups. We see that happen every day. A lot of email accounts get hacked that way. With MFA, you can potentially stop this whole threat chain from happening.”
As for using free trial versions of remote control software, Clift said he would like to see more human intervention to prevent bad actors from downloading free trials blindly without being approved by the vendor. “That would probably cut down on about 70 percent of the cases,” he said.