ConnectWise warns of threat activity linked to suspected nation-state hackers

ConnectWise is investigating suspicious activity — likely associated with a nation-state actor — affecting a limited number of customers that use ScreenConnect. 

In a post on its website, ConnectWise said it has notified all affected customers, alerted law enforcement to the attack and retained Mandiant to help with its investigation. 

A company spokesperson added that ConnectWise issued a patch for ScreenConnect, implemented enhanced monitoring and hardening measures across its environment. 

“Our investigation is ongoing,” the spokesperson told Cybersecurity Dive in an emailed statement. “However, we have not observed further suspicious activity in ScreenConnect cloud instances since the patch was installed.”

It is not immediately clear whether the patch addresses a specific vulnerability. 

A Mandiant spokesperson confirmed that the cybersecurity firm is assisting with the forensic response but declined to share any additional information, citing the ongoing investigation.

Hackers have targeted ConnectWise in the past by exploiting vulnerabilities in its software. In February 2024, hackers attempted to deploy LockBit ransomware against vulnerable ScreenConnect instances using a critical authentication bypass vulnerability listed as CVE-2024-1709.