ConnectWise Suffers Cyberattack by Sophisticated Nation State Actor
ConnectWise, a Florida-based software company providing IT management solutions, has suffered a cyberattack attributed to a sophisticated nation-state actor. The incident, which affected a small number of its ScreenConnect customers, was detected by the company's internal security measures and is currently being investigated with the help of cybersecurity firm Mandiant.
"ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers," the company stated in a statement. "We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances."
ConnectWise is primarily used by Managed Service Providers (MSPs) and IT departments to streamline operations, support clients, and secure IT environments. The product ConnectWise ScreenConnect is a remote desktop and remote support software designed to enable secure, real-time access to computers and devices from anywhere.
The Incident: A Nation-State Attack?
The breach may have occurred in August 2024, with the intrusion remaining undetected until May 2025. BleepingComputer reported that a ScreenConnect flaw, tracked as CVE-2025-3935, may have led to the ConnectWise breach, allowing remote code execution via stolen machine keys.
Though ConnectWise hasn't confirmed if this vulnerability was exploited, it patched the issue on cloud-hosted instances before disclosure. In early 2024, multiple threat actors started exploiting the ScreenConnect vulnerabilities, tracked as CVE-2024-1709 (CVSS score of 10) and CVE-2024-1708 (CVSS score of 8.4). Both vulnerabilities were reported on February 13, 2024, through the company vulnerability disclosure channel via the ConnectWise Trust Center.
Threat Actors Exploiting Vulnerabilities
Trend Micro confirmed that Black Basta and Bl00dy ransomware groups were actively exploiting both flaws. They shared details about their attack chains, highlighting the severity of the situation.
The Importance of Cybersecurity Measures
"The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able," ConnectWise stated in a statement. The incident serves as a reminder of the importance of robust cybersecurity measures and regular vulnerability testing.
Impact on Affected Customers
ConnectWise notified all impacted clients, and is cooperating with law enforcement. Since the update, no further malicious activity has been observed. ConnectWise continues to monitor the situation closely and will share updates as available," a source familiar with the cyber incident told CRN.
Avoiding Similar Breaches
To avoid similar breaches, businesses and individuals should prioritize regular security audits, implement robust backup systems, and stay up-to-date with the latest cybersecurity best practices. The incident highlights the need for continuous vigilance in the face of evolving cyber threats."