ConnectWise breached in cyberattack linked to nationstate hackers

pMicrosoft June 2025 Patch Tuesday fixes exploited zeroday 66 flawsppFIN6 hackers pose as job seekers to backdoor recruiters devicesppTexas Dept of Transportation breached 300k crash records stolenppNew Secure Boot flaw lets attackers install bootkit malware patch nowppDanaBot malware operators exposed via C2 bug added in 2022ppConnectWise rotating code signing certificates over security concernsppNew Secure Boot flaw lets attackers install bootkit malware patch nowppSpeak a new language in weeks with this Babbel dealppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppIT management software firm ConnectWise says a suspected statesponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customersppConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor which affected a very small number of ScreenConnect customers ConnectWise shared in a brief advisoryppWe have launched an investigation with one of the leading forensic experts Mandiant We have contacted all affected customers and are coordinating with law enforcementppConnectWise is a Floridabased software company that provides IT management RMM remote monitoring and management cybersecurity and automation solutions for managed service providers MSPs and IT departmentsppOne of its products is ScreenConnect a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting patching and system maintenanceppAs first reported by CRN the company now says it has implemented enhanced monitoring and hardened the security across its networkppThey also state that they have not seen any further suspicious activity in customer instancesppConnectWise did not answer BleepingComputers questions about how many customers were impacted when the breach occurred or whether any malicious activity was observed in customers ScreenConnect instancesppHowever a source told BleepingComputer that the breach occurred in August 2024 with ConnectWise discovering the supicious activity in May 2025 and that it only impacted cloudbased ScreenConnect instances BleepingComputer has not been able to independently confirm the breach datesppJason Slagle President of managed service provider CNWR told BleepingComputer that only a very small number of customers were impacted suggesting the threat actor carried out a targeted attack against specific organizationsppIn a Reddit thread customers shared further details stating the incident is linked to a ScreenConnect vulnerability tracked as CVE20253935 patched on April 24ppThe CVE20253935 flaw is a highseverity ViewState code injection bug caused by unsafe deserialization of ASPNET ViewState in ScreenConnect versions 2523 and earlierppThreat actors with privileged systemlevel access can steal the secret machine keys used by a ScreenConnect server and utilize them to craft malicious payloads that trigger remote code execution on the serverppWhile ConnectWise did not state that this vulnerability was exploited at the time it was marked as High priority indicating it was either actively exploited or carried a significant risk of exploitationppThe company also stated that the flaw was patched on its cloudhosted ScreenConnect platforms at screenconnectcom and hostedrmmcom before it was publicly disclosed to customersppAs the breach only impacted cloudhosted ScreenConnect instances its possible that threat actors first breached ConnectWises systems and stole the machine keysppUsing those keys attackers could conduct remote code execution on the companys ScreenConnect servers and potentially access customer environmentsppHowever it should be noted that ConnectWise has not confirmed whether this was how customers instances were breachedppCustomers who spoke to BleepingComputer are frustrated by the lack of indicators of compromise IOCs and information shared by ConnectWise leaving them with little information on what happenedppLast year a ScreenConnect flaw tracked as CVE20241709 was exploited by ransomware gangs and a North Korean APT hacking group to run malwareppBleepingComputer sent additional questions to ConnectWise but has not heard back at this timeppPatching used to mean complex scripts long hours and endless fire drills Not anymoreppIn this new guide Tines breaks down how modern IT orgs are leveling up with automation Patch faster reduce overhead and focus on strategic work no complex scripts requiredppConnectWise rotating code signing certificates over security concernsppTexas Dept of Transportation breached 300k crash records stolenppGrocery wholesale giant United Natural Foods hit by cyberattackppTax resolution firm Optima Tax Relief hit by ransomware data leakedppKettering Health confirms Interlock ransomware behind cyberattackppThis breach is another stark reminder that even companies specializing in IT management and security are not immune to sophisticated cyber threats especially those tied to nationstate actors ppNot a member yet Register NowppGrocery wholesale giant United Natural Foods hit by cyberattackppMicrosoft June 2025 Patch Tuesday fixes exploited zeroday 66 flawsppSentinelOne shares new details on Chinalinked breach attemptppLearn to build a strong Windows serviceprotect your systems from malware Start nowppOverdue a password healthcheck Audit your Active Directory for freeppElevate your cyber defense Learn to design powerful Blue Team playbooks with WazuhppLearn about Scattered Spiders evolving TTPs and how to defend your organizationppAI is a databreach time bomb Read the new reportppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp