Hackers Target ConnectWise Automate, MSP Software Company Warns

Credit: Getty Images

Malicious actors are targeting ConnectWise Automate, an RMM (remote monitoring and management) software platform that’s popular with MSPs (managed IT services providers) and technology solutions providers (TSPs), the company warned on Thursday.

In a tweet, ConnectWise wrote:

“We want to inform you there are recent reports of malicious actors targeting open ports for ConnectWise Automate on-premises application to introduce ransomware. Please ensure that your ports are not left open to the internet based on our best practices: ow.ly/bmbs30pQG57

Hackers frequently target MSP software platforms from multiple vendors with malware and ransomware attacks, the FBI has repeatedly warned. In a typical attack, prying open one digital doorway within an MSP often leads to multiple partner and end-customer systems.

MSPs Rethink Cybersecurity

Amid that reality, many MSPs are embracing the NIST cybersecurity framework to evaluate and mitigate risk within their own businesses.

For its part, ConnectWise is working to build an Information Sharing and Analysis Organization (ISAO) for technology solutions providers. The Technology Solution Provider ISAO (TSP-ISAO) has essentially spun out of ConnectWise and will be independently funded to ensure vendor neutrality. MSP industry veteran MJ Shoer is leading that effort.

Meanwhile, most major MSP and RMM software providers now enforce or will soon enforce two-factor authentication as a means to further mitigate MSP risk.


Return Home



    Hector Ortiz:

    Any further news? I fear there will be more of these coming down the pike. Automate alone can be hacked by so many methods including OS, Screen Connect, and just ports open to the Internet. So glad we are moving away from them.

    BJ Farmer:

    It has been known for a while that MSPs, and all their tools, are at a higher risk than most. Simply because a breach would be more fruitful.

    In the Online article they point out, as a way to “Stop” this attacks to is quite extensive. If you print it, it’s 21 pages. However, as it relates to the Alert Article, there are exactly 18 lines, that talk about what Ports need to be opened. The KB Article, is really about configuring an Automate (LabTech) server, but not how to secure such server. So my point is the “Nature of the Tool”.

    Given that the Industry is at Risk, and the Tool in question may be used against any MSP, because it has to be exposed to the Internet to work, why isn’t ConnectWise doing more to secure Automate servers?
    An Automate server checks back to them for licensing. So they have the IP and host name. Why are they not scanning our server to let us know “hey your fly is open!”?
    Why are they are not putting out Articles on how to strengthen security on an Automate server?

Leave a Reply

Your email address will not be published.