I genuinely want to keep you safe and secure, but I realize it is a considerable task that gets more formidable with each passing day.
Last month, I sent you a brief email describing a threat posed by the ScreenConnect software. A researcher discovered a flaw that could allow unauthorized access to the software. While the vendor quickly confirmed and then fixed the problem, the true breadth of the issue soon became apparent. With two versions extant, ConnectWise had to ensure they patched the cloud version quickly and notified everyone who had purchased licenses for the server-based version to patch their instances.
I am grateful to use the cloud-based version because I didn’t have to lift a finger to install the patches. On the other hand, during a blizzard of pop-up webinars given by various security providers, including Huntress, I learned that hundreds of systems are running older versions of ScreenConnect, and ConnectWise has no contact information. Emails they sent to alert people were treated by Microsoft’s Exchange and Outlook as spam, thus not reaching the intended recipients promptly.
In some cases, servers were compromised, and bad actors accessed attached client computers. No one knows what information was exfiltrated, nor what hidden threats were left behind. I work in a world of acronyms, and one that I frequently heard last week was IOCs. That abbreviation stands for “indicators of compromise,” meaning the digital and informational “clues” that incident responders use to detect, diagnose, halt, and remediate malicious activity in their networks.
By the end of the week, a significant news story was that the healthcare giant UnitedHealth Group had to shut down the IT systems at its subsidiary Optum because of a ransomware attack. Optum Solutions operates the Change Healthcare platform, the largest payment exchange platform among doctors, pharmacies, healthcare providers, and patients in the US healthcare system. As more information came to light, analysts believe a group of bad actors took advantage of an unpatched ScreenConnect server and ran roughshod over the entire network.
I will assume an organization as large as UnitedHealth Group has a valid incident response plan (IRP) and that pulling the network plug on their computer systems was the first step. Next, of course, was to contact their insurance company and establish a remediation task force. But what about smaller organizations?
How does a one-person MSP or a 10-person firm handle this? I will spend the next few months making certain that my IRP is updated to account for such an incident. As I edited a penultimate version of this newsletter, an email arrived from the New Jersey Cybersecurity & Communications Information Cell (NJCCIC) about Russian SVR actors targeting cloud infrastructure. The email goes on to say:
The NCSC has previously detailed how SVR cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.
Even though I don’t use a server-based version of ScreenConnect, I now feel it necessary to include additional “what if” scenarios in my IRP to ensure thorough coverage.
Thanks, and safe computing!