The Connectwise ScreenConnect Vulnerability &
The Return of the Lockbit Ransomware Gang
If you logged on to the website of the Naval Hospital Camp Pendleton any time Friday, February 23, 2024, you saw the image to the right fill your screen. As of the time of this writing, the startling graphic in bold text remained center stage on the homepage of the Naval Hospital website. Stars and Stripes, the independent newspaper of the US Armed Forces, reported February 22, 2024, quoting the the Defense Health Agency, that: "A cyberattack Wednesday on one of America’s largest health care technology companies has left U.S. military pharmacies worldwide unable to fill prescriptions."
The attack was not directly aimed at Camp Pendleton or any other military installation, but instead it was a "cyberattack on the nation’s largest commercial prescription processor, Change Healthcare, [that had] affected military clinics and hospitals worldwide," according to the Stars and Stripes report. As has been so common in recent cyberattacks, it was computer systems at a third-party servicing company that were initially attacked. This current industry wide attack on the American pharmacy industry that had caused the shutdown at the Naval Hospital, had also caused "disruptions" of many civilian pharmacies.
As Reuters reported, February 22, 2024, the fallout had followed "a hack at UnitedHealth's technology unit, Change Healthcare. Change Healthcare, as the Reuters report explained, is "a Tennessee-based provider of healthcare billing and data systems and a key node in the U.S. healthcare system, was having knock-on effects on their businesses." Several pharmacy chains, reported "in statements and on social media," their own inability to operate as usual. CVS, Walgreens, GoodRX, and many other pharmacies and chains, both large and small, were impacted by the cyberattack on Change Healthcare.
After the discovery of the Connectwise vulnerability, several tech publications had reported that the vulnerability had been detected spreading Lockbit ransomware. The news of renewed Lockbit criminal activity came within days of the much ballyhooed takedown of Lockbit ransomware servers and the purported disruption of the criminal organization's activities. February 23, 2024, TechCrunch.com reported:
Security vendor, Huntress, is credited with first uncovering the vulnerability, February 19, 2023. An authentication bypass vulnerability in ConnectWise ScreenConnect allowed attackers to bypass authentication and gain remote code execution on affected systems. It is the ability to overcome the usual means of verifying a user has rights to a network is what has allowed this attacker to flourish. Although patches to fix the flaws in the software were made ready in a day of the vulnerability discovery.
Apparently, not all system admins got the memo — or read the industry news. Systems all across the Internet have continued to be victimized by this vulnerability. It is the ubiquitous nature of the Connectwise ScreenConnect application that has brought about the current critical state of pharmacy retailers and others. As DarkReading reported, February 23, 2024,
The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.. Hospitals, critical infrastructure, and state institutions are proven at risk.
As SC Media reported, February 21, 2023, quoting Huntress CEO Kyle Hanslovan, “The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.”
This vulnerability also poses a clear and present danger to Consumers. If a Consumer seeks tech support as of this writing, and the support person wants permission to connect remotely, it may be prudent to deny such remote access. As the ConnectWise ScreenConnect website explains it:
ConnectWise Control, formerly ScreenConnect, is a remote support, access, and meeting solution available in the cloud or as a self-hosted tool. Use remote support and access to repair computers, provide updates, and manage systems or servers. Use remote meetings to conduct online seminars and presentations. ConnectWise Control is a comprehensive, affordable solution for companies of all sizes.
I used to cringe whenever I had tried to fix a Consumer's stubborn computer problem that wouldn't budge. I knew what came next. I often had no alternative but to call the vendor or manufacturer. Invariably, a request for remote access was made by the tech support person. Simply logic told me that, since any computer on any network could be infected, there was always a risk to my Customer by allowing such remote access, and/or vice versa. I would always ask, "Please, just tell me how to fix the problem." Over time, the support people had come to literally demand remote access — and I had to relent. I had grudgingly joined the flock of sheep, my apprehension of a subsequent shearing notwithstanding. Now I know that my initial seeming paranoia about granting remote access to unknown entities was not an irrational fear. It was simply common sense.
When speaking with SC Media as cited above, Huntress CEO Hanslovan expressed well a long held opinion of mine, as he also laid out the sorry state of contemporary computing.
There’s a reckoning coming with dual-purpose software; like Huntress uncovered with MOVEit over the summer, the same seamless functionality it gives to IT teams, it also gives to hackers...” said With remote access software, the bad guys can push ransomware as easily as the good guys can push a patch. And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative software won’t catch it because it’s coming from a trusted source.
Coming from a trusted source, indeed. Are we having fun, yet?
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||