Jump to content
nicecube

UPDATE YOUR SCREENCONNECT NOW

Recommended Posts

Posted (edited)

 

This night a hacker managed to log into our screenconnect 20.1 and infected ALL of our clients with ransomware. He asks for 1.5 million USD for all the keys, about 5500 infected computers. I chatted with the hacker over Tor and he mentioned the number of computers we have in screenconnect. We had the 2 factor authentication with duo and geolocation blocking

All of our clients had webroot and Huntress installed and they didn't detect anything. Worse when I connect to the machine I get a webroot popup that says my machine is safe with 6 green hooks.

Edited by nicecube
  • Sad 3

Share this post


Link to post
Share on other sites

This is a very blanket "update now" statement with no context or information.

  • What was the determined entry point? Are you on-premise or cloud?
  • What vulnerability is in 20.1 that is patched that mitigates this?
  • Do you have more information on the vulnerability?

Now, this is assuming it was an actual vulnerability. 99% of these claims Ive seen the MSP had Control on-premise and RDP open to the Control server. RDP was the entry point. Either brute forced or credentials harvested/phished from MSP employees and voila! RDP access to the Control server.

Share this post


Link to post
Share on other sites
Posted (edited)

*Sry for my english this is not my native language.

The hacker mentioned having logged into our screenconnect and he also mentioned the number of connected machines. In the screenconnect log we se the compromised user (ConnectWise API) the only one not using 2 factor authentification.

We look at the command sent by Screenconnect

- Disabling the firewall (Regkey)
- Disabled UAC
- Powershell script to download and run the ransomware
 

We dont' know what is the vulnerability, maybe a zeroday or something like that. We exlude Bruteforce because Ip was ban after 3 false atempt, we also have geoBloking


The hacker is clearly targeting MSPs and they know what they're doing, they've erased all of veeam backup in command line. They logged into screenconnect at 02:27 at 02:35 the commands were sent to all of our computers.

Edited by nicecube

Share this post


Link to post
Share on other sites

If you are the mspgeek slack contact me. It is most likely one of your CW users has API access AND a weak or phished password. The hackers also will use local VPN's to get around geo blocking.

To get started you can do the following

  • Reset all CW user passwords and MFA
  • Audit accounts that have API access, disabled the access if not known, the API does not require 2FA!
  • Like 2

Share this post


Link to post
Share on other sites

I don't have slack and I'm busy restoring Vms. A chance that the third of our infrastructure is under Hp Simplivity

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, Gavsto said:

@nicecube What was the password like on the ConnectWise API account that you have in Control? Was it secure?

The password was a very long string of approximately 16 random characters. Couldn't be a brute force, and the password isn't in any Rainbow tables.

As I said this is the only user who did not have a 2 factor authentication. Probably they have recovered an authentication token or they have used a security hole in ScreenConnect.

To make the situation worse, the hacker doesn't seem to want to sell us individual decryption keys, he wants more than a million for the full batch ...

Edited by nicecube

Share this post


Link to post
Share on other sites
8 hours ago, Xavier - Blackpoint Cyber said:

If you are the mspgeek slack contact me. It is most likely one of your CW users has API access AND a weak or phished password. The hackers also will use local VPN's to get around geo blocking.

To get started you can do the following

  • Reset all CW user passwords and MFA
  • Audit accounts that have API access, disabled the access if not known, the API does not require 2FA!

How exactly do you audit accounts that have API access? To connect to my control API, I simply use a screenconnect administrator login with 2FA turned off.

Also in my Automate System Dashboard I noticed in Config > Integration > ConnectWise Control I see this, not sure where or how this API key pair was generated..
image.png.59678d3d78f181673701cc2cd9ccf576.png

Share this post


Link to post
Share on other sites
11 hours ago, Al Deuce said:

How exactly do you audit accounts that have API access? To connect to my control API, I simply use a screenconnect administrator login with 2FA turned off.

Also in my Automate System Dashboard I noticed in Config > Integration > ConnectWise Control I see this, not sure where or how this API key pair was generated..
image.png.59678d3d78f181673701cc2cd9ccf576.png

I would like to know this too so I can discard any API keys that aren't in use.

Share this post


Link to post
Share on other sites
On 7/22/2020 at 9:58 AM, nicecube said:

Worse when I connect to the machine I get a webroot popup that says my machine is safe with 6 green hooks.

Loll.. webroot sux dick, though they did come out with Evasion Shield recently. Do you know if that was enabled or not?

Share this post


Link to post
Share on other sites
Posted (edited)

Big concern for the rest of us right now. I really feel for you.

Evasion shield is disabled by default so you need to go in and create the policy.
https://community.webroot.com/general-security-information-102/evasion-shield-faq-342813 
 

Steps needed to enable Evasion Shield:
The policy settings for the new 'Evasion shield' are available at the Global Site Manager level only. This means that the ability to manage these settings will not be available when accessing the Policies tab within a site itself. To manage the 'Evasion shield' you must do so when first logging into the Webroot GSM console and clicking on the 'Policies' tab located at the top of the window before accessing any site.

 After selecting the 'Policies' tab, please select a policy from the list to edit. Please note that the three 'Recommended' policies cannot be edited. You must either create an entirely new policy or copy one of the recommended policies to then enable the Evasion Shield.

 In addition, please note that the new 'Evasion shield' functionality is available only when using global policies.

 If at the time the site in question was created, the option to allow the use of global polices was rejected, you can reverse this setting by following the steps below:

 

1.    Access the ‘Sites’ tab.
2.    Locate the site and select ‘Manage’.
3.    Click on the ‘Endpoint Protection’ tab.
4.    Check the box that states ‘Include Global Policies’.



https://www.connectwise.com/company/trust/security-bulletins 
I am hosted which CW have confirmed is updated on a regular basis. Were you running an older version of onpremise?

However I have just been informed the Automate control version is more like an onpremise version and is not updated. Needs to be done yourself. (Now doing mine)

Edited by Jas

Share this post


Link to post
Share on other sites

@Jas Thanks for the information, my boss has a call with Webroot this morning, he'll help us disinfect all the computer with a custom script. Huntress will also help us, he got the logs and will do an update.


This afternoon ConnectWise will be reinstalling Screenconnect and Labtech and making sure they are all safe. I took so that our database was not infected, we spent thousands of hours working.

What pains me the most is that we are forced to campaign to raise the necessary funds to pay for the ransom.

 

Share this post


Link to post
Share on other sites

What pains me the most is that we are forced to campaign to raise the necessary funds to pay for the ransom.

Thats exactly why MSP's need to carry Cybersecurity Insurance..sure it looks like a big cost...until 10k a year or something pales in comparison to 1.5m USD....

Hopefully in the end, hopefully you can find out what is going on and how they got in...

 

Share this post


Link to post
Share on other sites

Yeah, and the insurance company typically won't front the ransom payment, they only reimburse, so you need to somehow come up with the money to pay the bad guys before they'll pay you back...

Share this post


Link to post
Share on other sites

Small update on the situation. We paid for the ransom, and we received a decryptor that contains all the keys. We have made a decryption script that we will launch tonight at all our impacted customers. The security flaw was our user API which did not have a double credentialing factor. Please make sure that this user is not an administrator.

Share this post


Link to post
Share on other sites

Is this related to the Control update notification CW just sent out or just a misconfiguration?  I think the only API stuff we have is probably the RMM+ module and the Automate/CW api....but would like to confirm...

Share this post


Link to post
Share on other sites
2 hours ago, Mark Hodges said:

Is this related to the Control update notification CW just sent out or just a misconfiguration?  I think the only API stuff we have is probably the RMM+ module and the Automate/CW api....but would like to confirm...

The email this morning said that the issue hasn't been exploited yet. So either this is unrelated or they are lying. I don't see a middle ground as they do know about this incident based on NiceCube's earlier posts.

Share this post


Link to post
Share on other sites
18 hours ago, Mark Hodges said:

makes sense....so its probably unrelated since CW is stupid, but not sure if they are stupid enough to publicly lie :)

Want to bet?  They've lied to me publicly. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...