Remote Monitoring and Management (RMM) tools are used by a substantial percentage of Managed Service Providers (MSPs) and IT infrastructure professionals. These tools are known to bring a huge amount of efficiency and convenience for the teams, albeit at the expense of the potential security risks. With the increase of remote work environments, RMM tools took on an even greater role in managing endpoints and the applications of their users.
RMM tools have always been an attack vector, and over the years, many of the leading dozen or so tools have been the subject of a vulnerability. Perhaps, most famously, the Kaseya VSA ransomware attack of July 2021 caused downtime for over 1,000 organizations. As a result, the cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand, and the United States have released a joint Cybersecurity Advisory (CSA), to provide guidance on how to protect against malicious cyber activity targeting managed service providers (MSPs) and their customers. Alert Code AA22-131A https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-131a
On January 26th of 2024 CISA, sent out a specific alert for RMM tool-based risks as Alert Code:AA23-025A https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a and now just about a couple of weeks later this becomes a very popular news item. It is important to note that the advisory specifically mentioned ConnectWise ScreenConnect.
“CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.”
Furthermore, the advisory indicated clearly that the attack objectives are financial, stealing sensitive information as well as state sponsored drivers. This should have certainly put all our cyber-defense friends at notice, and I am sure many of us kept our watchful eyes open.
Fast forward a couple of weeks to the second week of February, and this becomes a real threat with the identified critical vulnerability. The administration access credentials will be stolen for a multi-fold increase in the attack surface, and that opens the doors to begin a wide variety of attacks at scale.
The attack primarily restarts the installation of the ScreenConnect agent with the attacker-specified new administration credentials to gain access to the target. The target is then used not only to exploit but to create a cascade of attacks from there.
Certainly, the CVE-2024-1709 was patched quickly by ConnectWise (https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8). However, the industry is in the middle of finding out impacted systems and businesses and then assessing the damage in the forms of penalties, loss of customers, increased cyber insurance, and monetary loss in real terms.
As a cybersecurity services provider organization, it is critically important to ensure that safeguards are always in place for both known and unknown threats. MSPs need to have a “Zero-Trust” approach to the supply chain, as many organizations learned with the SolarWinds attacks and log4j vulnerabilities.
Today, it’s important for MSPs to consider protecting not just their customers but their own estate using real-time Machine Learning and AI-based proactive and comprehensive threat detection.
Many in the industry have already recognized that this is a cat-and-mouse game, and we are not talking about if the attack will happen to us; instead, our planning and strategy must be how quickly we can detect and protect ourselves when the attack happens.
The industry is learning daily from such attacks and is developing better defense mechanisms and strategies using modern tools with automation. We at Seceon are actively contributing to such defense and welcome any queries to explain our approach and help you benefit in your cybersecurity journey.
Seceon is a ConnectWise Invent Certified Vendor, and we have dozens of partners that have built MSP businesses as large as $200M and power their cybersecurity services with Seceon. We support the community and have sponsored an exhibited ConnectWise events.
In January 2024, Seceon announced a version of the Seceon aiSIEM-CGuard product for our partner community. Seceon aiSIEM-CGuard Not-For-Retail (NFR) license program is essential as governments and experts are increasing the pressure on managed service providers to protect themselves to avoid threat actors from attacking their clients. If you are interested in learning more, please contact us.