logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
appareledfleck  
#1 Posted : Monday, November 16, 2015 5:39:33 PM(UTC)
appareledfleck


Rank: Newbie

Joined: 11/16/2015(UTC)
Posts: 4
United States

Thought I would share something we ran in to and what I believe to be the cause:

For a time, we had a plugin enabled to allow access to the "Build Installer" option from our Guest page. We knew there might be some risk that random folks could connect, but we couldn't see how a compromise could occur as a result and left it like that. After a few months of running like this, we suddenly noticed 5-10 devices that we did not own/control appeared in the Access section over the course of two days. Here's a brief description of the ones we saw:

  • Windows 7 and XP SP3 machines in the default workgroup
  • Various generic names like: ELVIS-PC, ANTONY-PC, BRBRB-D8FB23AC1, WIN-4163C97LWCA, XP3-HOST01
  • Connected from various different Australian and US IP addresses
  • All were virtual machines
  • Some appeared to have command prompt windows open from the screen grab
  • All stayed connected for only 2-3 minutes and then never reconnected

I ended the sessions since there wasn't much more information to be gleaned, but we were concerned about the implications. If it was one or two sessions that were obviously from a random public user, that would be less of an issue, but these appeared to all be from random test machines and they all suddenly connected within the same 1-2 day span.

A little Google searching showed that these device names are associated with various honeypot and exploit detection sandbox systems. ANTONY-PC, for example, is likely a VirusTotal system - the machines appear as a result of someone (or some software) uploading our client installer to a system like VirusTotal and having it detonated to try and detect malicious behavior. The sudden onslaught of random machines corresponded with our roll-out of new exploit prevention software, which includes a feature to analyze file behavior using sandbox systems.

Hope that helps calm someone else's nerves upon seeing some foreign machines appear in their console.

MrEastwood  
#2 Posted : Monday, November 16, 2015 8:24:13 PM(UTC)
MrEastwood


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/23/2015(UTC)
Posts: 113
United States
Location: Los Angeles

Thanks: 11 times
Was thanked: 9 time(s) in 8 post(s)
Good information, thank you for sharing
JMZ_NM  
#3 Posted : Sunday, November 29, 2015 5:58:54 PM(UTC)
JMZ_NM


Rank: Newbie

Joined: 11/29/2015(UTC)
Posts: 1
United States
Location: New Mexico

Thanks for this post !

Strangely enough this just happened to me yesterday...

ANTONY-PC just appeared in my list and mimicked another domain I support.

This still leaves me wondering whether this is an issue to be concerned with ?

Is this a screen connect vulnerability ?

Thanks

JMZ
ddre  
#4 Posted : Monday, November 30, 2015 9:17:46 AM(UTC)
ddre


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 7/1/2014(UTC)
Posts: 34
Australia
Location: Melbourne, Australia

Thanks: 7 times
Was thanked: 4 time(s) in 4 post(s)
Originally Posted by: appareledfleck Go to Quoted Post

Hope that helps calm someone else's nerves upon seeing some foreign machines appear in their console.


I could have written your post word for word. Exactly the same thing happened to us about 3 months ago. Wasn't really sure what to make of it other than keeping an eye on it. Hasn't happened since but ide be interested in a response from SC techs.

We have found having the installer on the home page makes life much easier. Maybe a super simple captcha before downloading the file would help?

MannyTC  
#5 Posted : Monday, November 30, 2015 9:17:12 PM(UTC)
MannyTC


Rank: Advanced Member

Medals: Bug Buster Level One: Spoon!Level 3: Shirt off your back! Received 25 Thanks!

Joined: 2/19/2015(UTC)
Posts: 262
United States
Location: AZ

Thanks: 6 times
Was thanked: 52 time(s) in 45 post(s)
Originally Posted by: ddre Go to Quoted Post
We have found having the installer on the home page makes life much easier. Maybe a super simple captcha before downloading the file would help?


I had this issue as well. I started to use the Guest Full Installer extension and modified it to add a password. That way it is available on the guest screen and I just give out the basic password when needed. That has stopped the random sessions from showing while still giving easy access to the unattended installer.

appareledfleck  
#6 Posted : Monday, November 30, 2015 9:27:52 PM(UTC)
appareledfleck


Rank: Newbie

Joined: 11/16/2015(UTC)
Posts: 4
United States

Originally Posted by: JMZ_NM Go to Quoted Post
Thanks for this post !

Is this a screen connect vulnerability ?



I wouldn't call it a vulnerability, no. It's entirely "by design" for both SC and the exploit prevention systems that spawn these VMs, and even if there was some mechanism to exploit SC via a client, it would be user-induced because we added the functionality to run the installer from the home page via a third-party extension.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.