ConnectWise Confirms Hack, "Very Small Number" of Customers Affected

ConnectWise Confirms Hack, "Very Small Number" of Customers Affected

ConnectWise, the developer of remote access and support software ScreenConnect, has confirmed it was targeted by a cyber-attack from a nation-state threat actor. In a message sent to Infosecurity, a ConnectWise spokesperson revealed that suspicious activity had been detected within their environment, which they believe was linked to a sophisticated nation-state actor affecting a very small number of ScreenConnect customers.

The company did not provide any details on the intrusion, but it has implemented enhanced monitoring and hardening measures across its environment. This move could suggest that the initial access was an exploit of a zero-day vulnerability. ConnectWise has launched an investigation in collaboration with Google Cloud-owned Mandiant and noted that no further suspicious activity had been observed in any customer instances.

"We have communicated with all affected customers and are coordinating with law enforcement, and will share additional information as we are able," the ConnectWise spokesperson added. The incident occurred just a week before the company's annual IT Nation Secure conference in Orlando, Florida. US tech media CRN reported that the incident would be discussed at the event.

It also comes over a year after several vulnerabilities were found in ConnectWise's ScreenConnect, affecting both cloud and on-premises systems. Cloud environments were patched in February 2024, and partners using on-premises servers were instructed to update their systems urgently. The recent breach highlights the ongoing threat of nation-state attacks on remote monitoring management (RMM) tools.

Will Thomas, Senior Threat Intelligence Advisor at Team Cymru, noted on LinkedIn that vulnerabilities in RMM tools have been increasingly targeted in recent months, including AnyDesk, TeamViewer, and BeyondTrust. Thomas highlighted that Russian intelligence services were named as breaching TeamViewer, while Chinese intelligence services were believed to have breached BeyondTrust.

"It seems to me like it's APT open season on RMM tool vendors," he added. The incident serves as a reminder for organizations using remote monitoring management tools to stay vigilant and implement robust security measures to protect against such threats.