ConnectWise says nation-state attack targeted multiple ScreenConnect customers

IT management software company ConnectWise said it is investigating a nation-state attack on its systems that impacted some of its customers. 

The company declined to provide details about the incident but told Recorded Future News that it “recently learned of suspicious activity” within its environment that it believes “was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers.”

ScreenConnect is the company’s flagship IT remote management and monitoring software and is used by dozens of governments and large businesses. Hackers have frequently targeted vulnerabilities in the software, using it as a jumping off point for ransomware attacks and data thefts. 

ConnectWise said it has launched an investigation with forensic experts from Mandiant. 

“We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment,” a spokesperson said. 

“We have not observed any further suspicious activity in any customer instances.”

The company did not respond to a request for additional details. The incident was first reported by CRN. 

ScreenConnect allows for secure remote desktop access and mobile device support. It is a popular enterprise tool that is widely used by managed service providers (MSPs), which are attractive to cybercriminals and nation states because they can serve as staging points to launch attacks on other businesses. 

Both China and Russia have been seen exploiting ConnectWise ScreenConnect vulnerabilities in the last two years. 

Researchers from Google said in February that a hacker affiliated with China’s Ministry of State Security exploited CVE-2024-1709 in ConnectWise ScreenConnect “to compromise hundreds of institutions primarily in the U.S. and Canada.”

The same bug was used repeatedly by Chinese state-backed hackers to attack U.S. defense contractors, U.K. government entities and institutions in Asia throughout 2024, according to Mandiant. Other security experts called the bug a “catastrophe” due to how trivial it was to exploit. 

Sandworm, which researchers have tied to Russian Military Intelligence Unit 74455, was also seen using it in attacks, according to Microsoft. 

The Cybersecurity and Infrastructure Security Agency (CISA), which did not respond to requests for comment about the ConnectWise incident, previously warned that cybercriminals used versions of ScreenConnect themselves during attacks on at least two federal civilian agencies. 

The Florida-based ConnectWise was purchased by private equity giant Thoma Bravo in 2019.