ConnectWise Confirms ScreenConnect Cyberattack, Says Systems Now Secure: Exclusive
‘ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,’ ConnectWise said in a statement.
ConnectWise has confirmed it suffered a recent cyberattack that led to unauthorized access of its ScreenConnect cloud infrastructure.
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the Tampa, Fla.-based vendor said in a statement. “We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”
No further signs of malicious activity have been detected since the update was applied, a source familiar with the situation, who asked for anonymity, told CRN.
[Related: ConnectWise CTO, Key Cybersecurity Execs Out As Company Accelerates Innovation On Asio]
“We’ve seen no further activity since the patch was implemented.”
ConnectWise did not disclose information about when the breach occurred as well as the number of affected MSPs or end users, however the source said the vendor reached out to all those impacted by the breach.
While the company refrained from confirming whether any customer data was stolen or systems were compromised beyond unauthorized access, it emphasized collaboration with law enforcement and cybersecurity firm Mandiant in the response effort.
Jason Slagle, president of Toledo, Ohio-based MSP CNWR Inc., and a longtime ScreenConnect user, said the situation underscores a larger challenge in the industry: maintaining the security of legacy software built on now-outdated assumptions.
“These are nightmare situations,” Slagle told CRN. “We have a lot of very old legacy software that was secure by default, but not secure by design. It followed best practices at the time it was created, but that time has passed.”
Still, he has confidence in ConnectWise’s ability to respond appropriately.
“I have a large amount of confidence in Patrick Beggs (ConnectWise CISO) and the security team at ConnectWise,” he said. “They take their job seriously and I generally believe they do a good job given the resources they have.”
Until then, Slagle said he is reviewing his company’s own security protocols, not just for ScreenConnect but for all tools with elevated access.
“These kinds of events are reminders to stay vigilant,” he said. “No tool is invulnerable.”
When asked about the security of ScreenConnect going forward, the anonymous source stressed that ConnectWise is constantly reviewing and enhancing its product security.
“Our product security capabilities are continuously maturing,” they said. “It’s an evolving endeavor. We want to learn from any internal and external events to better protect our environment, our products and our customers.”
While the two incidents are unrelated, the breach comes about 15 months after ConnectWise disclosed security vulnerabilities in its ScreenConnect tool affecting both cloud and on-premises systems. In February 2024, cloud environments were promptly patched and partners using on-premise servers were notified with urgent instructions to update.
“Things like this are only going to continue to happen, unfortunately,” Paul Vedder, co-founder of West Palm Beach, Fla.-based VXIT, told CRN in an email. “Nothing is 100 percent safe and that’s just reality. I hope incidents like this send a strong reminder to other vendors to focus on what they can do to protect themselves, their customers (us MSPs) and most importantly, the MSPs’ end users. The MSP end user is the reason we are in business and the reason the vendors are in business, they need to take this seriously.”
The recent incident comes just a week before the company’s annual IT Nation Secure conference in Orlando, Fla. The source confirmed that the breach will be discussed at the event, calling it a “reinforcement” of the need for cybersecurity vigilance in the MSP industry.
“This is a reminder that MSPs are part of critical infrastructure in whatever country they operate. They are always going to be a target,” the source said. “We’re trying to be transparent and say, ‘This happens, and it’s OK to talk about it.’ We have a very mature cybersecurity operations program, but we’re always looking to improve.”
Keith Nelson, CEO of Irvine, Calif.-based ConnectWise partner Vistem Solutions, said he hadn’t been contacted directly about the breach despite being a cloud user of ScreenConnect.
“First, I’d like to have heard it from them first. That’s a little concerning,” he told CRN. “Even if we’re not affected directly, we are, because we don’t white-label our services. Our customers will be asking questions and we won’t have the answers.”
Nelson emphasized the importance of proactive communication in the MSP space, especially when security is involved.
“Communication is paramount. Even if it’s just to say, ‘Hey, our product had a breach, but you’re isolated,’ we need to be ready with those answers,” he said.
Though ConnectWise has patched the vulnerability and reported no further suspicious activity, he said he remains cautiously optimistic.
“I feel semi-confident,” he said. “If there’s a good postmortem report that shows they addressed it correctly and isolated the issue, then yes, I’ll feel more secure. Incidents will happen, it’s about how you respond.”