lolloj - Fotolia

ConnectWise ransomware attacks affecting Automate customers

ConnectWise warned that ransomware attacks are targeting open ports for its Automate on-premises application, but the company has offered few details about the nature of the attacks.

ConnectWise customers are being targeted by ransomware attacks, though the software maker has provided little information about the threat.

The ConnectWise ransomware attacks are targeting customers using the Automate remote monitoring and management product on premises. The software maker, based in Tampa, Fla., which specializes in remote access software for managed service providers (MSPs), first disclosed on Twitter Thursday afternoon that it had received reports of ransomware attacks on its customers.

According to a company statement provided to SearchSecurity, malicious actors are "targeting open ports for ConnectWise Automate on-premises application to introduce ransomware."

"In an effort to protect our partners, we will not publicly disclose the specific port that is being targeted," the ConnectWise statement said. "We are communicating with our impacted Automate on-premise partners and are directing partners to reach out to the support team."

It is unclear when the attacks occurred, what type of ransomware was used, how many ConnectWise customers were targeted and if any of the ransomware attacks were successful.

A ConnectWise spokesperson confirmed the customers impacted by the ConnectWise ransomware attacks have been contacted via email and directed to a support page requiring a login. SearchSecurity was able to access the page, which is a ConnectWise University document titled, "ConnectWise Automate Installation Prerequisites." The page makes no reference to the current ransomware attacks against customers and provides no information about remediating the specific threat.

The company has not provided any additional public information about remediating the attacks beyond its initial tweet asking customers to "ensure that your ports are not left open to the internet."

However, customer replies to the ConnectWise tweet, including this information, suggest the support documentation and communication from the company are lacking needed details.

One reply from Anne Schoolcraft, president of A Couple of Gurus, an MSP based in Minneapolis, noted that she would have missed the information had it not been shared by someone else on LinkedIn.

Tom Scott, president of TS3 Technologies, a managed IT service company based in Birmingham, Ala., asked for more detail, including what ports are being targeted, and noted he had opened a support ticket with the same question.

More ConnectWise ransomware attacks

This is the fourth known ransomware incident involving ConnectWise this year.

In February, a flaw in a ConnectWise plugin for the Kaseya VSA remote monitoring and management software was exploited and led to several managed service providers being infected with GandCrab ransomware.

In May, the ConnectWise Manage platform was taken offline after an off-site system used for cloud performance testing in the European Union was hit with ransomware.

And, in August, an on-premises version of ConnectWise Control used by TSM Consulting, an MSP based in Rockwall, Texas, was used to deliver ransomware to 22 municipal governments in Texas.

ConnectWise did not respond to requests for comment on the string of ransomware attacks involving the company and its products.

Security news writer Alexander Culafi contributed to this report.

Next Steps

MSP software vendor ConnectWise buys Perch, StratoZen

Ransomware gangs exploiting ConnectWise ScreenConnect flaws

Dig Deeper on Threats and vulnerabilities