 Find the connect-wise control solution that is right for your clients. No, it's not a sponsored video by them But I wanted to bring up an important topic a lot of these hacks a lot of these ransomwares against MSPs have been facilitated by the power that comes with this MSP software and I want to talk about a tool specifically one that we use and kind of give you the scenario for how this tool was used to deploy ransomware and Like anything in the world if with great power comes great responsibility and that certainly applies to this So while this tool makes it very easy to facilitate connections to thousands of computers to Facilitate connections that allow me to push software updates or deploy any type of software across all of my clients You know makes us more efficient more profitable because we can manage things at scale You know, I'm singing all the praises right, but what happens when you lose control of your software? Unfortunately a lot of IT providers have found this out now I highly highly recommend and before you go any further if you're using connect-wise control and you have not Validated that every single user that you have on there has To TP two-factor authentication turned on and that's time-based authentication You know things you can use like Google authenticate or other time-based authentication mechanisms for but time-based is the way to go It is excellent. It is highly highly necessary Also password reuse if you're reusing passwords, don't that's a frequently the side side of this to where the breach occurs and Through debriefs and through people I've talked to an industry who've gone through breach remediation Free they've taken control of their connect-wise. This is not a fault flaw in the product This is not the fault of connect-wise. All of this is directly related to People not having control of password now that we've gone and covered that let's talk about what kind of fun we can have So I have my Pwnage system that we have a demo set up here and we're going to start covering some of the basics So the first one is this is connect-wise control. This is virtual box. So windows 10 Clone running in a virtual box So you can see that when I do things on here the user can go Hey, I see you doing things. Please note the top. It says your computer is being controlled by Tom. So Obviously this requires People to lock their workstations and all those good security habits that you're preaching to all the users which are all valid We're going to go ahead and Lock it out. So let's go ahead and lock the workstation, right? All right, it's locked. So great password if I tried to log in and try to do this There's a password on it. So I've thwarted the bad guys because you know, people didn't leave things logged in So now we've stopped them, right? Mmm. We're gonna go ahead and do this. We're gonna select Login session backstage Here's the first thing that noise you heard was this and let's log in now Tom's not in control. The little box is gone. This is the first step There's a lot of them do look a power shell right at the command prompt here But obviously this is not the fun way to do it. I mean, I can run power show commands I'm you know, I have full authority on this machine. I'm running at the base level of the machine with both power Shell and CMD open. I can launch things. I can run things in this session and it's The user being locked. It doesn't matter. I have system level permissions because that's what these systems install that So I'm obviously able to run anything I want on here and do so without the user's interaction matter of fact right now There's nothing to indicate that I'm connected. But if I switch back Hey, look your computer is being controlled by Tom. It lit up here. Now the user knows I'm connected. So Let's go back to locking the system again so go here and We'll do the good security hygiene and lock the workstation because we're away from it And we'll close this too because let's talk about how what the escalation part is. So yeah, ponage We're now disconnected from it. What can we do without having to do an interactive session at all? Because going to a complete non interactive session. Well, that's way easier to do right actually quite So if we go over here, and I have a few things I've already been playing around and running in here This allows you to push back in commands This is when any of the machines are connected this gives me power shell access actually it gives me different types of shells So we'll do this right here Let's see. What do we want to do? Let's just you command like this. Let's We're gonna choose a shell and you do that in a similar way that you do in Linux And matter of fact if you're going to a Linux client, you can do this on Linux. So if we do Bing p s or hashtag However, you want to look at that pound sign, but I say hashtag when I see it sometimes pound sign exclamation point p s for power shell I hold down shift press enter so I'm on the next line So I can actually execute execute the command and let's say we execute Was you not a power shell expert? So I have some stuff. I'm gonna copy and paste and get process list So boom there. We did this as execute power shell I'm gonna dump a process list of things running now I can go further and start and stop and delete processes and move things around But obviously what's more likely is I would run a command more like this if I'm going to deploy my Mailware on here from a bad actor who has back-end access and by the way I'm doing this without any type of user interaction matter of fact It's not showing connected here now. So we go here I'm just gonna paste it in so we did power shell new object web client I'm not gonna pipe this in to execute it, but I just grabbed something off of my github So raw that github user content flip side creations dot files. It's just my uninstall dot sh on there We're gonna head and run this command now because I didn't actually pipe it into execute It's just going to dump on the screen what it downloaded But it's showing the proof of how easy I could have taken some type of power shell script that were to deploy the ransom We're at the system level and how quick I was able to do that So I could just go into each one of these systems and push it out there now a couple other Methodologies that we can use we go ahead and go here Here I'm doing this from Linux. It's a little different if you do it from Windows machine But if we go to toolbox and I'm blurring out some of the things in here but what I wanted to show you is I can just kick these off and We have some client data in here because this is actually how will we use this to push our RMM updates where we're onboarding a new client We're gonna connect to a screen connect and we're gonna be able to push this over there But I can just click this and it's going to install it automatically on their computer. By the way, I'm doing it with it locked So it's locked. Let's go over here and see what's going on behind the scenes here Oh, it actually did find an error because I didn't have it I just threw anger IP scanner on there and it went to the Java downloads I don't have Java in there, but please note. I was able to install software while their screen was locked How does that work in screen connect? Well, what's going on is I can add and once you have breached a system you go to the toolbox You can add anything you want to the toolbox. So you add your wears on there You can just quickly start deploying things from the toolbox to all the systems and you can see once again It's another methodology in what I'm trying to highlight here is how quick things can spiral out of control The risks are very real and we see this and I bring it up again because I only covered it last week the Dental company they were using connect wise control my summation not that I have inside information But I know they were using connect wise because they have it on their site And I did talk to one of the people that worked for the dental that well was a victim of this And they said yeah, they have screen connect on all the computers screen connects what you speak calls go connect wise control now But they have it on all of them So they were able to the bad actors to once they had control of this rapidly Deploy to hundreds of workstations And this isn't just true of connect wise control where solar winds and I didn't want to take the time to set this up on our Solar winds platform But solar winds has similar features where we can deploy things at scale to entire client groups or mass amounts of computers Any of these tools have to be locked down with the utmost of security That is one of the reasons I recommend making sure that two factors on that you never reuse passwords that even that your username Which is frequently your email address not necessarily be the email address you usually use for emailing back and forth clients Perhaps create an alias also, you know, make sure when you have the two factor on that It's not SMS base that makes it a you know better attack factor because you can hijack SMS We've seen this happening quite a bit The preferred method like I said is TOTP time-based authentication But I just wanted to kind of show how quickly things can go out of control These tools are very powerful and one of the problems and this is where there's discrepancies when there's a breach now They may use it for ransomware because that is the most lucrative most profitable thing But this works two ways if I wanted to file off of their desktop if I wanted Access to data, especially if you have control quietly have control And no one has realized the breach has occurred because you haven't ransomware them. It is possible It is absolutely plausible that they have removed Data from the computer they have copied any data they want. They could also install quiet backdoors They could actually run the ransomware attack over time and have it time-based Where they've installed all the back end and they've set a date by which it all execute so they can do it over time This is why you know everything from watching your logs in screen connect Watching any of the logins restricting everything down and auditing all the time is so critical I just want to bring this up because I know there was some questions I seen in the you know, how did they do it and this is the methodology This is the plan of attack that undoubtedly was used based on everything I've read and everything I've known about a lot actually a lot of these attacks when Tools like this was involved once your RMM tool once your remote access tools are compromised You have a huge uphill battle and there's no way to guarantee to the client as much as people want to say this and This is the hard truth of it once someone has had access with a tool like this that has system of access Those machines need to be wiped the only way to trust those machines again is to wipe them And if someone were to ask did they take any data any personal data any financial data any Medical records or whatever that client had the answer is you don't know unless there was a log of it Which by the way if they have remote access and they have admin privileges are going to delete all the logs You have to assume the answer is yes, and then follow all the procedures that go with that You know whether you're compliant and HIPAA Sarbanes actually whichever Compliance industry you're in you have to notify and follow the proper legal channels do this. It's unfortunate It's tragic, but that's just reality of it So I just want to make this video kind of show how easy it is how you can quickly go in here and just Dump commands PowerShell without any user interaction. You can do installs without user action So people that say like hey, I locked my I told my users to lock the screen So I don't have to worry about this Unfortunately you do the system as long as they have connection they have system low privileges and they have the ability execute All right, thanks And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the Bell icon if you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums. Lawrence systems calm where we can carry on the discussion about this video Other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time