Automation Theory

Are your MSP tools naked on the Internet? We've updated our #MSP Tool #Security Scanner to scan a variety of common MSP tools (formerly, it was ConnectWise Automate specific). It's designed to check the security posture of MSP tools -- and it can tell you if there's exposed surface area that might be a security issue. We've also added a letter-grade component to the scanner. This is designed to give a quick reference point without diving into the technical weeds. So, if you use #ConnectWiseAutomate, #ScreenConnect, #ConnectWisePSA / #ConnectWiseManage, #Hudu, or #BitWarden (along with any other self-hosted MSP tool with a web UI) you can get a security report for it here: https://lnkd.in/gZwZFQkj

In today’s digital landscape, the importance of robust security measures cannot be overstated. MSPs must prioritize the protection of their internal tools. Baseline security may feel comfortable, but it makes you vulnerable to threats. WAF protection is not just an option; it's a necessity. Here’s why: Comprehensive Defense: WAFs provide an additional layer of security against various attacks, ensuring that your applications remain safe and operational. Proactive Approach: By implementing WAF, we shift from reactive to proactive security strategies, minimizing risks before they escalate. Seamless Integration: WAFs can easily fit into existing infrastructures, allowing us to enhance security without disrupting workflows. Let’s commit to staying ahead of potential threats and safeguarding clients’ digital environments. It’s time to turn our focus toward robust security measures and protect what matters most. What strategies are you implementing to enhance security in your operations? We'd love to hear your insights! #MSP #CyberSecurity #WAFProtection #DigitalTransformation #ClientSafety

5,456 MSPs have their Hudu instance enumerable in Shodan (but it gets WAY worse -- but then better...). As part of #cybersecurityawarenessmonth, we're bringing back #attacksurfacemonday, where we educate the #MSP industry on zero-day risk from common MSP tools. Today, we're looking at the documentation system #Hudu. Initially, we were going to post this earlier in the month, but we found significant concerns about their cloud. It was cringeworthy enough that we contacted their support and brought glaring issues to their attention. So far as we can tell, they fixed the issues based on our report (although we never heard anything beyond the fact that our ticket was escalated to their security team). So, what did we find? We found open SSH ports on cloud-hosted instances of Hudu. This is bad practice (akin to leaving RDP open), but it got worse. Shodan recorded the service banner, which gave us the version details. From this, we gleaned two details: there were unpatched vulnerabilities in that version of SSH, and the SSH package was from an EoL operating system. Our suggested remediation was to enable the hosting provider's firewall service as a phase-one step, and it looks like those steps were taken. Upgrading those systems to supported OSes will likely take a while (and will hopefully happen), but the immediate threat is gone. However, the issue is that the industry generally thinks outsourcing hosting risk to vendors is a good idea. Surely, a documentation vendor with SOC 2 Type 2, HIPPA, and GDPR compliance wouldn't run EoL operating systems with exposed remote access ports, right? Wrong. In the end, Hudu did the right thing quickly, but not every vendor is as agile. The industry needs to wake up and realize that security is not always better outsourced to vendors.

MSPs access sensitive client systems, yet many are still leaving themselves exposed online. With threats growing every day, can your business really afford to ignore its own cybersecurity vulnerabilities? 🔥 Don't be like the MSP industry in this meme — it's time to secure your systems before it's too late. Automation Theory provides comprehensive security solutions to ensure your MSP isn't caught 'naked' online. Let's chat about how we can safeguard your MSP tools. 🚀 #cybersecurity #MSP #digitalprotection #infosec #cyberthreats

9,457 MSPs (at least!) have their ScreenConnect open to the world. As part of #cybersecurityawarenessmonth, we're bringing back #attacksurfacemonday, where we educate the #MSP industry on zero-day risk from common MSP tools. Today, we look at #ScreenConnect, the remote access platform. The 9.4k+ visible instances are all on-premise deployments -- which 8 months ago were impacted by a CVSS 10 vulnerability and likely the worst MSP #cyberattack in history. As mentioned in previous installments, enumerability is dangerous, as exploits can be unleashed at an unimaginable scale if/when a vulnerability is found. This played out in February, as it took less than 48 hours from disclosure to exploit. The mind-boggling part is the industry's seeming acceptance of what we call the "zero-day world." Traditional guidance for MSPs is what we call "MFA, patch, and pray," which focuses on basic fundamentals while ignoring existential risk. Many MSPs saw their lives flash before their eyes less than 12 months ago and haven't thought twice about it. Beyond the existential threat, we also see a lot of other bad practices: - 9,457 ScreenConnect instances are running on plain-text - 709 MSPs are using self-signed certs - 2,178 MSPs have vulnerable SSL/TLS versions (including 4 instances on SSLv2!!) Automation Theory has products designed to protect these applications, but the industry must be aware that this is a problem. We can't continue to be like the ostrich and accept catastrophic existential risk as the status quo. Take the time to share this, and be a leader in industry security!

Are you one of the 1,542 MSPs with your CW Manage/PSA open to the world? As part of #cybersecurityawarenessmonth, we're bringing back #attacksurfacemonday, where we educate the #MSP industry on zero-day risk from common MSP tools. Today, we look at #ConnectWise PSA/Manage. The 1.5k+ visible instances are on-premise, with the lion's share in the US (with Australia, Canada, the UK, and New Zealand rounding out the top countries). Enumeration is dangerous from a security perspective since it is the first stage of an attack. The real danger is the scenario where an attacker finds a zero-day exploit (and has thousands of would-be targets that can be located and targeted within minutes). Typically, RMM tools get all the attention regarding zero-day risk since they are vectors for ransomware attacks. However, PSAs carry a significant amount of business risk. In the event of an exploit, critical functions such as billing, purchasing, sales, and support flow through the PSA. While impact varies based on MSP, almost every phone call to an MSP results in action in the PSA, making downtime very expensive. Apart from the existential risk of zero-days from enumerability, we see other issues based on Shodan data. 66% of CW PSA servers have TLS 1.1 enabled, and 86 instances run on EoL Windows server versions. Even for the 33% of MSPs with properly configured servers, those servers are still naked on the Internet and should have additional security layers in place. Automation Theory has products designed to protect these applications -- but the industry must be aware that this is a problem. Take the time to share this, and be a leader in industry security!

While this probably isn't a zero-day scenario, how do you think the bad actors found this #MSP? We'll probably never know, but they were enumerated somehow, were attacked, and now have a bad actor selling access to their RMM. There are 910 Kaseya VSA servers in Shodan. Any bad actor who wants to target MSPs with the Kaseya toolstack can find would-be victims in seconds, and then start to poke at external defenses (and if your VSA server is listening on TLS 1.0, like 43% of them are, then it's probably a sign your organization has gaps in your overall security program). Kaseya VSA isn't an application we currently support with our products -- but this lesson applies to all MSP tools. Stay safe out there!

6,512 MSPs have their RMM open to the world. As part of #cybersecurityawarenessmonth, we're bringing back #attacksurfacemonday, where we educate the #MSP industry on zero-day risk from common MSP tools. Today, we look at #ConnectWise Automate. The 6.5k+ visible instances represent both on-premise and cloud deployments (we've written content covering security considerations for Hosted RMM in the past). The basic enumerability is dangerous, as a zero-day exploit could be deployed extremely quickly to any enumerable system. Suppose a bad actor discovers such a vulnerability. In that case, we are minutes away from the worst cyber attack in history (and increasingly, insurance companies are adding "widespread event" exclusions, so losses from such an event might be catastrophic for the MSPs involved). Beyond the existential threat, we also see a lot of other bad practices: - 133 MSPs are using self-signed certs - 9 MSPs are using home-brew proxies that aren't working correctly - 129 MSPs have SSL3 configured - 66 MSPs are still using Server 2012 or 2012 R2 Automation Theory has products designed to protect these applications -- but the industry must be aware that this is a problem. This is an example of a single RMM tool -- but this issue exists across PSAs, documentation platforms, and numerous other MSP platforms.

Since October is #cybersecurityawarenessmonth, we wanted to kick things off with a sad metric: 39% of #ConnectWisePSA instances are still listening on TLS 1.0. The security risks of a PSA are different from those of an RMM, but for any #MSP, it's still important to defend that surface area. The data inside a PSA could be used to create incredibly effective social engineering attacks against downstream clients, and the fallout could be just as impactful as a ransomware incident. Reverse-Proxy-as-a-Service is compatible with ConnectWise Manage/PSA, so if you're looking to harden your surface area, we can help!

Congrats to our very own Amy Roell for completing her #ConnectWise Automate Certified Expert certification! Amy joined our team earlier this year, coming from outside the MSP space. She's quickly learned all of our technology stacks, but this certification shows her willingness to go above and beyond to better serve our clients. Congrats, Amy!