 Now that all the statements are out, the proof of concept has been posted and there's announcements from ConnectWise, I figure it's time to close the loop and talk about what happened with ScreenConnect and what's going on moving forward. This is still an actively exploited incident so exactly over isn't really what I would describe it as but in the process of being over based on the changes that they made. So let's dive into this. Now the first thing I need to talk about is what is ScreenConnect and how was On-Premise sold because this is a big piece of it. ScreenConnect now today is a great piece of software that you can use to remotely manage lots of computers, take over desktops and this is used by IT service providers to manage all of their fleet of computers. So hey, when you need help, this is part of our managed agreement that we have ScreenConnect on there and that we're able to then take control of that computer, fix your outlook problem, your printer problem, et cetera, service that system. This isn't just used by IT companies that are external like us and they manage service providers space but also frequently used in the enterprise space by large universities, school systems. It is basically one of the most popular help desk tools out there and it's been around for a long time. It was sold very popularly as a self-hostable On-Premise solution. This is actually what got me interested in it and I started using it back in 2014 and bought one of those On-Premise licenses. They're I think still available today but they're not publicly listed on their site anymore so I had to use the way back machine to show how they were sold. That being said, they were not sold with the normal expiring license like you would see on a product today. They were sold with, hey, if you buy this license, you will continue to get support and updates but if the license expires, you can continue to use it. Your end points won't go away but you can't load updates. That's an important piece because what happens is people said, well, it works fine for the way it is. I don't care about the new features. I don't care about support because, well, it works and we're just gonna keep using it. Unfortunately, it's not just support or new features. It's also security updates you're missing so some people just quit updating these and when a major flaw was discovered in this system, this is what we did that live stream the other day about and I couldn't give details because any details given, including how to detect it would actually tell you how the flaw works. Now the whole proof of concept is out and the details can be shared. Here's a video showing just how quick that this can be done. Thanks to Huntress for putting this together, proof of concept. All the details are in the links you'll find below. Obviously this is one of the worst case scenarios because this allows threat actors to not only take control of these systems but then they have all of these other computers at their disposal to do what they want with. Undoubtedly, you know, the more popular thing here in 2024 is gonna be ransomware attacks but just the fact that they have system level access to thousands of systems. So even though ScreenConnect is not something that most end users have heard of, the fact that for each place using it, whether it be a large university, internal IT team or the many, many managed service providers, this means thousands of computers can be taken over for each one of these self-hosted instances and how many are there? Well, according to Shodan, thousands of them. Around seven or 8,000 depending on what type of search parameters you put in there that are the self-hosted ones showing up. I didn't filter through all of it and even if it's a fraction of that that are actually real and not some type of honeypot, there's still a lot of them out there. This is why it matters. Now let's talk about the response and what is being done. ConnectWise did two really big things that I think are very good and I'm praising them for this behavior. First, ConnectWise decided to take the license and invalidate it. So when these things do their license check-in, even though they have the right to use it under the old terms and conditions, they decided to invalidate the license and break those machines and you're going, Tom, why would you praise the company doing that? Hear me out. They also have a patch that allows for on-premise upgrades regardless of license status. The problem I have is when I took the time to call local schools, large-scale schools, entire districts using ConnectWise, try to get a hold of their IT people. They haven't updated in years. They don't seem enthusiastic about the thought of updating because it's a lot of factors involved in terms of when there's so many versions behind, there is a path to get to the latest version but that being said, these companies are just using it or these school districts or these IT people are just using it. So getting them to actually shut these instances down is really, really hard. So by ConnectWise invalidating them, they are now forced to figure out what's going on and kind of poke their head up from the unpatched world that they live in and go, oh, I think I might need to do something about the tool because the tool's not working anymore but they're not being left out in the dark. It's not costing them any money but it does take the time to upgrade. They can go download this upgrade and without the status of their license being updated, other than, hey, you can load this patch here and then upgrade and be patched but still be on your old license. I think this is the best of both worlds. I'm really happy this is the path ConnectWise chose to go because, well, ConnectWise in the past, I don't think may have done that. Matter of fact, I have a video all the way back in early 2020 from their interaction previously when it came to security and I don't think their posture then was as good but here in 2024, they're doing the right thing. So I will, hey, give them a shout out for that. Now, the cleanup work is still a lot. There is a lot of in the interim between this being Discovery, the proof of concept getting out there and threat actors actioning on it. There's still a lot of companies that got hit. I don't know exactly how many but from talking to my security friends, it's not looking pretty for anyone who had these self-posted instances that didn't jump on the patch. As I said, I was calling some of these people even called a local competitor, so to speak, that's in the same space as me and even they weren't aware of it because they were a couple of versions behind. You have to be absolutely on the latest version. That is linked down below in the Huntress blog post and the connectwise post and all these posts I have all the links to for those of you that wanna dig deeper into this. I just wanted to close the loop and get this video out there to let people know kind of why I did a weird live stream with a few of my friends and it's because this is a pretty serious issue. We're users of ScreenConnect so we were right away on top of the patches. I stay very in tune with cybersecurity community and knowing what's going on, but yeah, this is a pretty scary event for anyone that's doing the self-posting or anyone that doesn't have a really tight patch cycle in terms of, hey, there's a release. Yeah, I'm gonna get to that tomorrow. No, no, you can't wait till tomorrow. This went under active exploit. This is actually why we were so tight-lipped about it because the exploit being so trivial that even telling you how to detect the exploit or what to look for would actually be also telling you how to do the exploit and the more people that know it, there's either gonna be people doing it for the ha-ha, just wanting to knock systems over or the much larger risk is threat actors actioning on this and taking over systems, which is not the outcome anyone wants to see. But leave your thoughts and comments down below. Like and subscribe, see more content from the channel. Let me know if you think they were right or wrong with this move and what do you think about security auditing? This is a big challenge. Companies, even when they go through code audit and code review, things can be missed. This was not easy to see even though it's a trivial one to exploit. It wasn't easy to see how the code allowed this right away. At least especially for me, this is gonna be where it's debated among security researchers who go, that should have been obvious. But this is why I push when anything's publicly exposed, code audits are really important and even when they're done, sometimes still things can be missed. So you have to stay vigilant, make sure you're on top of these things and of course, always have a plan. Thanks.