Huntress shares their take on the ConnectWise Control vulnerability discussions, arguing there was no demonstrated exploit at the severity level claimed and advocating for responsible disclosure and collaboration. They emphasize social engineering and phishing as the primary risk vector and detail their timeline, validation, assessment, and ongoing collaboration with ConnectWise to address concerns and improve security awareness. #ConnectWiseControl #SilentPush #Huntress #ScreenConnect #MSP #r/msp #BrianKrebs
Keypoints
- Huntress disputes the claimed severity of vulnerabilities in ConnectWise Control and advocates for responsible disclosure.
- The timeline shows pre-release social engineering activity, advisories, vendor coordination, and public writeups, with no proven remote code execution.
- The most prevalent threat observed is social engineering and phishing against MSPs using ConnectWise Control.
-
MITRE Techniques
- [T1566] Phishing – The adversary uses phishing and social engineering to lure end users to download and run a legitimate ConnectWise Control client. “the adversary will answer and masquerade as a help-desk as a support line for companies like BestBuy or GeekSquad, and encourage the end user to download and run a legitimate Control client.”
- [T1036] Masquerading – The social engineer disguises themselves as a legitimate help-desk to gain trust. “masquerade as a help-desk as a support line…”
- [T1105] Ingress Tool Transfer – Modifying Host header routes to an attacker-controlled location to download/install software; “This executable looked to be reaching out to fully install the software required for the ConnectWise Control connection, pulled once again from the server.”
- [T1071] Web Protocols – Use of HTTP-based delivery/communication paths and proxying; “The Host HTTP header is used within the internal proxy to properly route to the correct cloud instance dedicated to the user’s deployment.”
Indicators of Compromise
- [Domain] Phishing domains used in campaigns – msp123.screenconnect.com, attacker789.screenconnect.com, and 1 more domain
- [Domain] Core service domain related to ConnectWise ScreenConnect – screenconnect.com
Read more: https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity