Connectwise is rotating code signing certificates. What happened?

Connectwise customers who use the company’s ScreenConnect, Automate, and ConnectWise RMM solutions are urged to update all agents and/or validate that the update has been deployed by Friday, June 13 at 8:00 p.m. ET, or risk disruptions.

The reason for the warning is the imminent revocation of digital certificates that have been used to sign previous Connectwise software builds, “due to concerns raised by a third-party researcher about how ScreenConnect could potentially be misused by a bad actor.”

Connectwise has recently admitted that a nation state actor has compromised ScreenConnect cloud instances of some ConnectWise customers, but says that this particular issue does not involve a compromise of their systems or their certificates.

Nevertheless, it looks like the weakness flagged by the third-party researcher may have already been exploited by attackers for months.

What’s this all about?

The initial email warning sent out to Connectwise customers said that the certificates would be rotated on Tuesday, June 10, but then the deadline was pushed back to June 13 (as announced on the company’s “Latest Advisories” page on June 9.)

The later announcement tells that the concerns raised by a third-party researcher were about how ScreenConnect handled certain configuration data in earlier versions, but does not provide details of how this could be exploited by threat actors.

That information can be accessed only by customers, but some of them have shared it in a discussion on Reddit.

According to one user, the issue that led to the certificate revocation is ScreenConnect storing configuration data in an available area of the installer that is not signed (but is part of its installer).

“We are using this ability to pass down configuration information for the connection (between the agent and server) such as the URL where the agent should call back without invalidating the signature. The unsigned area is used by our software and others for customization, however, when coupled with the capabilities of a remote control solution, it could create an insecure design pattern by today’s security standards,” Connectwise apparently explains in the (non-public) FAQ.

Possible misuse

We’ve reached out to Connectwise to ask whether the configuration issue has been used by attackers to target victims with legitimate, digitally signed ConnectWise ScreenConnect client software that has been reconfigured to connect to attacker-controlled servers to deliver malware, but their representative merely pointed us to the public announcement as the source for “the most up-to-date information”.

As Lumu researchers previously noted, thusly modified ScreenConnect client software bypasses EDRs (due to a valid ConnectWise signature) and doesn’t exhibit abnormal behavior.

“Instead of deploying custom malware for command and control, the attackers leverage a legitimate, widely used, and trusted remote administration tool: ScreenConnect (ConnectWise Control). By embedding malicious configuration into a ScreenConnect client and tricking users into installing it via phishing, they hijack the software’s inherent capabilities for remote access, file transfer, and command execution,” they explained.

Action required by customers

“In addition to issuing new certificates, we are releasing an update to improve how this configuration data is managed in ScreenConnect,” Connectwise said in the public announcement.

Due to the certificate revocation/rotation, customers using on-premises versions of ScreenConnect or Automate have been instructed to update to the latest build and validate that all agents have been updated before June 13, “to avoid disruptions or degraded experience.”

Certificates and agents across cloud instances of Automate and RMM are being updated by the company, and customers have been urged to validate that their agents are running the latest version prior to the June 13 deadline.

“For ScreenConnect cloud instances, we are finalizing the updated build, which will also be deployed automatically once ready,” the company concluded.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!