Recommended reading

ConnectWise hit by nation-state cyberattack, some ScreenConnect customer systems affected

News
By published

State-sponsored hackers target IT firm

Connectwise ScreenConnect
(Image credit: Connectwise ScreenConnect)
  • Connectwise notified customers about a state-sponsored attack
  • A "small number" of ScreenConnect customers were affected
  • The company triggered its incident response plan and brought in third party experts

ConnectWise has revealed it recently suffered a cyberattack, likely at the hands of a “sophisticated nation state actor.”

In a short announcement published on its website, the company said it recently learned of “suspicious activity” within its environment, which affected a “very small number” of ScreenConnect customers.

“We have launched an investigation with one of the leading forensic experts, Mandiant,” the announcement says. “We have contacted all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we implemented enhanced monitoring and hardening measures across our environment.”

Multiple attacks

Other than that, details are scarce. We don’t know which threat actor this is, how they managed to infiltrate ScreenConnect’s infrastructure, how long they dwelled, or what they were looking for.

We also don’t know exactly how many customers were affected, or in which industries they operate.

ScreenConnect did say that no further activity, “in any customer instances” were observed.

“The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”

In this context, The Hacker News reported that the company patched two security flaws in 2024, which were used “by both cybercrime and nation-state threat actors”, including those from China, North Korea, and Russia.

The two vulnerabilities are tracked as CVE-2024-1708, and CVE-2024-1709. It also said the company fixed a high severity vulnerability in ScreenConnect versions 25.2.3 and earlier, which could be exploited for ViewState code injection attacks using publicly disclosed ASP.NET machine keys. It doesn’t specifically state the criminals used these flaws in the attacks.

As a popular remote support and access solution, ScreenConnect is widely adopted by Managed Service Providers (MSPs), internal IT teams, and technology resellers.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.