Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor

Hackers have been exploiting a vulnerability tracked as CVE-2022-36537 to hack hundreds of R1Soft servers.

A vulnerability discovered last year in ConnectWise’s R1Soft Server Backup Manager software has been exploited to deploy backdoors on hundreds of servers. 

In late October 2022, ConnectWise informed customers that a critical vulnerability patched in Recover and R1Soft Server Backup Manager products that could allow an attacker to execute arbitrary code or directly access confidential data. 

The vendor warned at the time that the flaw was at high risk of being exploited in the wild and urged users to patch their installations as soon as possible. 

A few days later, managed endpoint detection and response (EDR) firm Huntress explained that this was actually an authentication bypass and sensitive file leak vulnerability affecting the ZK Java framework used by the R1Soft software. The flaw in ZK is tracked as CVE-2022-36537 and it was patched in May 2022.

Huntress researchers demonstrated at the time how an attacker could bypass authentication and upload a backdoored JDBC database driver to achieve arbitrary code execution, and push a piece of ransomware to all downstream endpoints managed by the software. 

The security firm warned that there had been nearly 5,000 internet-exposed R1Soft servers at the time and hackers could exploit the vulnerability to push ransomware to these systems.

During a recent incident response case, cybersecurity company Fox-IT found evidence that the R1Soft vulnerability had been exploited to gain initial access to a server. The attackers then deployed a malicious database driver that gave them backdoor access.

An analysis by Fox-IT showed that the vulnerability has been exploited in the wild since late November 2022. On January 9, Fox-IT identified 286 backdoored servers, mainly in the United States and South Korea. As of February 20, the number dropped to 146 backdoored servers.

Advertisement. Scroll to continue reading.

“With the help of fingerprinting, we have identified multiple compromised hosting providers globally,” Fox-IT said in a blog post on Wednesday.

In the attacks observed by the company, the attackers exfiltrated files from compromised systems, including VPN configuration files, IT admin information, and sensitive documents.

Fox-IT has released indicators of compromise (IoCs) that can help organizations determine whether their systems have been hacked through exploitation of CVE-2022-36537.

UPDATE: Patrick Beggs, CISO at ConnectWise, provided the following statement:

“In October 2022, we identified and issued a fix to a newly identified flaw in a component of our underlying framework in ConnectWise Recover and R1Soft, following a responsible disclosure from a third party. We informed our partners of the fix and encouraged those with on-premise instances of the impacted product to install the patch as soon as possible. There was no action required for most partners with ConnectWise Recover; both the cloud and client instances of Server Backup Manager (SBM) were updated as we pushed this patch directly. R1Soft is self-managed; we encouraged these partners to apply the patch quickly. As these threat actors are targeting unpatched servers for exploitation, we continue to encourage our partners to follow industry best practices and patch immediately.


If you have a non-active security incident or a security vulnerability to report, you can do so at any time, 24/7, via the ConnectWise Trust Center. To report an active, urgent security incident, please call our Partner InfoSec Hotline at 1-888-WISE911 and a member of our InfoSec team will promptly assist you.”

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Related: Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability

Related: Fortinet Patches Critical Code Execution Vulnerabilities in FortiNAC, FortiWeb

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cloud and cybersecurity MSP Ekco has appointed Ben Savage as UK CEO.

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.