Field Effect has been actively engaging with clients and partners to mitigate the threat posed by recent critical vulnerabilities affecting ConnectWise’s ScreenConnect servers.
Through this collaboration, and by analyzing telemetry related to ScreenConnect exploitation activity, we have discovered patterns that represent valuable lessons for managed service providers tasked with, among other things, ensuring the cybersecurity of their clients.
1. Identifying and securing neglected legacy infrastructure
Many of the compromised ScreenConnect servers we observed were instances that were no longer used or maintained. They were left exposed to the internet, making them easy targets for exploitation.
While it’s important that organizations maintain an accurate list of their assets and infrastructure, MSPs should check across their clients’ environments for infrastructure that may have been set up unofficially by employees, external vendors, or other third parties, or leftover from a trial or evaluation that wasn’t implemented. These unexpected installations should be uninstalled or disabled, or at minimum, blocked from external connectivity.
Risk management made easy.
Pinpoint cybersecurity risks—including the ScreenConnect vulnerabilities—to your business with a personalized attack surface report.
Get your ASR
While the compromise of these servers may not seem like an issue since they likely do not contain sensitive data or aren’t vital to a company’s operations, threat actors still may be able to extract credentials and hashes that could be used to access other, more important systems on the same network.
Furthermore, any claim of compromise made publicly by threat actors, regardless of the perceived importance of the system affected, could lead to reputational damage.
2. Ease and speed of patching self-hosted versus cloud-hosted services
Favourable, grandfathered contracts are often the reason why organizations continue to choose on-premise and self-hosted appliances rather than adopting a higher-priced, but likely lower maintenance, equivalent cloud-based service.
While the rationale for this is understandable, the ScreenConnect incident highlights the benefit of cloud-based services that update quicker and more efficiently than their self-hosted equivalent.
Cloud-based ScreenConnect servers were patched before the vulnerabilities were announced, leaving no time for threat actors to exploit them. Conversely, self-hosted instances required manual patching and thus provided threat actors with the window they needed to target servers before they could be patched.
This window, combined with the simplicity of the exploit, was more than enough for threat actors to compromise unpatched ScreenConnect servers successfully.
3. Quick availability of PoC exploit code requires a high patching cadence
Another factor that hastens the exploitation of new vulnerabilities is the public release of proof-of-concept exploit code long before most MSPs have time to request that clients patch impacted systems. This factor was particularly bad in the ScreenConnect case as multiple cybersecurity vendors released exploit code just one day after the vulnerabilities were announced.
While these vendors justified their actions by claiming that other vendors had already released PoC code and thus ‘the cat was out of the bag’, this is no more than an attempt by the vendor to make a name for itself rather than strengthening cybersecurity.
While vendors may argue that any threat actor worth their salt would have their own exploits anyway, public exploit code could be leveraged by less sophisticated actors who otherwise would not have had this capability without external assistance, especially when vendors emphasize how easy the exploit is to deploy.
Unfortunately, this is likely to continue as irresponsible cybersecurity vendors seek market share in an increasingly competitive environment.
4. Active monitoring of remote connection software
Remote desktop access and sharing applications have been very popular targets for threat actors since they are almost always exposed to the internet and, once compromised, can serve as a valuable foothold in a network of interest.
During the pandemic, many organizations quickly sought solutions to enable their employees to work remotely. Some of these solutions were hastily deployed—potentially because they were assumed to be temporary—often with misconfigurations, weak passwords, and other security flaws.
While the WHO has declared the pandemic “no longer a global emergency,” many employees still work from home, and thus the solutions enabling that work are here to stay.
It’s therefore critically important that MSPs and their clients adopt measures to ensure these solutions are configured and secured properly. Specifically, we recommend:
- Monitoring for impossible travel situations. (For example, an employee logs in from Canada, then China a minute later).
- Restricting Internet Protocol (IP) addresses that can connect to remote desktop services to specific geographical areas from which employees are expected to log in.
- Restricting access to remote desktop services to IP addresses known to be used by employees or third parties who require access.
- Blocking access to remote desktop services from known IPs associated with VPNs, TOR nodes, and those deemed high risk.
- Enforcing multi-factor authentication and complex password requirements as much as possible.
Conclusion
The discovery and exploitation of ScreenConnect-like vulnerabilities is not likely to stop any time soon. Fortunately, by keeping in mind the lessons above, MSPs can help minimize their client’s exposure to this threat. MSPs are better off adopting a holistic cybersecurity solution that enables the mitigations outlined above, rather than stitching together disparate cloud, endpoint, and network monitoring solutions that may make it more difficult to respond to similar threats promptly or effectively.
