R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor

A vulnerability discovered last year in ConnectWise’s R1Soft Server Backup Manager software has been exploited to deploy backdoors on hundreds of servers. 

In late October 2022, ConnectWise informed customers that a critical vulnerability patched in Recover and R1Soft Server Backup Manager products that could allow an attacker to execute arbitrary code or directly access confidential data. 

The vendor warned at the time that the flaw was at high risk of being exploited in the wild and urged users to patch their installations as soon as possible. 

A few days later, managed endpoint detection and response (EDR) firm Huntress explained that this was actually an authentication bypass and sensitive file leak vulnerability affecting the ZK Java framework used by the R1Soft software. The flaw in ZK is tracked as CVE-2022-36537 and it was patched in May 2022.

Huntress researchers demonstrated at the time how an attacker could bypass authentication and upload a backdoored JDBC database driver to achieve arbitrary code execution, and push a piece of ransomware to all downstream endpoints managed by the software. 

The security firm warned that there had been nearly 5,000 internet-exposed R1Soft servers at the time and hackers could exploit the vulnerability to push ransomware to these systems.

During a recent incident response case, cybersecurity company Fox-IT found evidence that the R1Soft vulnerability had been exploited to gain initial access to a server. The attackers then deployed a malicious database driver that gave them backdoor access.

An analysis by Fox-IT showed that the vulnerability has been exploited in the wild since late November 2022. On January 9, Fox-IT identified 286 backdoored servers, mainly in the United States and South Korea. As of February 20, the number dropped to 146 backdoored servers.

“With the help of fingerprinting, we have identified multiple compromised hosting providers globally,” Fox-IT said in a blog post on Wednesday.

In the attacks observed by the company, the attackers exfiltrated files from compromised systems, including VPN configuration files, IT admin information, and sensitive documents.

Fox-IT has released indicators of compromise (IoCs) that can help organizations determine whether their systems have been hacked through exploitation of CVE-2022-36537.

UPDATE: Patrick Beggs, CISO at ConnectWise, provided the following statement:

“In October 2022, we identified and issued a fix to a newly identified flaw in a component of our underlying framework in ConnectWise Recover and R1Soft, following a responsible disclosure from a third party. We informed our partners of the fix and encouraged those with on-premise instances of the impacted product to install the patch as soon as possible. There was no action required for most partners with ConnectWise Recover; both the cloud and client instances of Server Backup Manager (SBM) were updated as we pushed this patch directly. R1Soft is self-managed; we encouraged these partners to apply the patch quickly. As these threat actors are targeting unpatched servers for exploitation, we continue to encourage our partners to follow industry best practices and patch immediately.

If you have a non-active security incident or a security vulnerability to report, you can do so at any time, 24/7, via the ConnectWise Trust Center. To report an active, urgent security incident, please call our Partner InfoSec Hotline at 1-888-WISE911 and a member of our InfoSec team will promptly assist you.”

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Related: Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability

Related: Fortinet Patches Critical Code Execution Vulnerabilities in FortiNAC, FortiWeb