A cross-site scripting (XSS) vulnerability in ConnectWise Control, the remote monitoring and management (RMM) platform, offered attackers a powerful attack vector for abusing remote access tools.
Now patched, the stored XSS flaw was disclosed by Guardio Labs, which in July published an analysis of tech support scams, a widespread phenomenon whereby scammers abuse RMM platforms in order to create fake technical support portals and dupe victims into inadvertently installing malware.
Once installed, a remote access tool gives attackers remote control of a victim’s desktop PC or mobile device and, said the report, “is persistent, mostly undetectable, and bypasses almost all regular forms of protection. And in a show of supreme chutzpah, these scammers even manipulate this capability to bypass 2FA protection and take full control of PayPal and bank accounts”.
A new technical write-up documenting the ConnectWise XSS explains how attackers could easily register for a free, anonymous email account and submit fake personal details. This would give them a corporate-grade remote access agent and support portal they could customize – with no coding skills needed – to convincingly mimic famous brands.
Scammers could then call and dupe victims by, for example, sending “them a fake invoice for some service they never registered to, urgently referring them to a […] fake refund service portal to enter the ‘invoice’ code (triggering the dedicated silent [remote access tool] installation),” wrote Nati Tal, head of Guardio Labs.
Full control
The stored XSS bug arose from a lack of sanitation of the Page.Title resource. “Any code we maliciously inject in between the
“A script executing from this context gives an attacker full control over any element of the webapp, potentially altering any element of the page as well as connection to the backend servers,” contined Tal.
Scammers could also “abuse the hosting service itself – allowing misuse of ConnectWise hosting, identity, and certificate to serve malicious code or gain full access to admin pages even after the trial period is over.”
‘Bold move’
ConnectWise recently added a prominent advisory to its remote support service to alert visitors to this social engineering threat. However, Guardio Labs found that attackers could also execute code that removes this warning.
ConnectWise has since responded by removing the customization feature for trial accounts – “a bold move” that would prevent scammers from creating credible-looking Amazon or Microsoft support pages but at the cost of losing a useful feature and commercial differentiator, noted Tal. “They sure took this matter seriously which is very appreciated and will surely help make web browsing safer and the scammers’ life a bit harder,” he said.
“ConnectWise was very responsive and quickly fixed the issue” by adding sanitization to Page.Title that neutralized Guardio’s exploit code, added the researcher.
Users are advised to update to version v22.6, released on August 8, 2022, or later.
Copyright 2021 Associated Press. All rights reserved.
Source: https://portswigger.net/daily-swig/connectwise-closes-xss-vector-for-remote-hijack-scams