A flaw in ConnectWise Control spurred the company to make life harder for scammers

A vulnerability in popular remote access service/platform ConnectWise Control could have been leveraged by scammers to make compromising targets’ computers easier, Guardio researchers have discovered.

By abusing the fully-featured 14-day trial option for that hosted cloud service, scammers are already taking advantage of the platform at no cost, but the vulnerability could have allowed them to remove an alert that can break the illusion the scammers are trying to create.

What is ConnectWise Control?

ConnectWise Control (formerly ScreenConnect) is a solution often used by managed and IT service providers and support and help desk teams to remotely connect to clients’ machines, troubleshoot the problem and fix what needs fixing.

Unfortunately, it’s also used by attackers to deliver ransomware, download malicious payloads and, according to Guardio researchers, to impersonate tech support and surreptitiously achieve remote access to targets’ computers.

The discovered vulnerability

After signing up for a free trial with an anonymous email account and fake personal details, attackers can use the platform to create a convincing support portal with a corporate-grade remote access tool agent. That’s because even in the trial version the support portal can be customized to reflect specific branding.

ConnectWise Control scammers

“For a scammer, all left is to call the victims and manipulate them as if they have some computer technical issue, or alternatively as in our example — send them a fake invoice for some service they never registered to and wait for them to go to the fake refund service portal and enter the ‘invoice’ code (triggering the dedicated RAT installation),” the researchers explained.

To add to the problem, the alert that the trial version shows to end users – advising them to be careful to whom they are allowing access and control of their device and notifying them that the ConnectWise Control solution in use is a trial version – can be easily removed by exploiting a stored (persistent) cross-site scripting (XSS) vulnerability in the web application.

“The webapp admin has control over text and images stored on the servers and served as part of the portal webapp to any visitor. For most of the customizable textual elements, there is decent validation and sanitation,” the researchers found.

Unfortunately, the Page.Title element was not similarly protected against abuse, allowing attackers to inject malicious exploit code, including code that allows attackers to alter or hide any element of the page (e.g., the aforementioned alert box).

The last straw?

The researchers have notified ConnectWise about this simple yet powerful vulnerability earlier this year, and the company fixed it in v22.6 of the solution by correctly sanitizing the Page.Title element.

What’s more, the disclosure of the vulnerability pushed them to make a big change to make scammers’ lives harder: they disabled the customization feature for trial accounts.

Has the now fixed XSS vulnerability ever been exploited in the wild, though?

A Guardio spokesperson told Help Net Security that they didn’t see any in-the-wild exploitation but that, of course, they didn’t have ConnectWise’s tools or privileges to scan all online instances. “We are not aware if ConnectWise scanned or found exploits other than our POC,” they added.

Don't miss