A vulnerability discovered last year in ConnectWise’s
R1Soft Server Backup Manager software has been exploited to deploy
backdoors on hundreds of servers.
In late October 2022, ConnectWise informed customers that
a critical
vulnerability patched in Recover and R1Soft Server Backup
Manager products that could allow an attacker to execute arbitrary
code or directly access confidential data.
The vendor warned at the time that the flaw was at high risk of
being exploited in the wild and urged users to patch their
installations as soon as possible.
A few days later, managed endpoint detection and response (EDR)
firm Huntress explained that this was actually an authentication
bypass and sensitive file leak vulnerability affecting the ZK Java
framework used by the R1Soft software. The flaw in ZK is tracked as
CVE-2022-36537 and it was patched in May 2022.
Huntress researchers demonstrated at the time how an attacker
could bypass authentication and upload a backdoored JDBC database
driver to achieve arbitrary code execution, and push a piece of
ransomware to all downstream endpoints managed by the
software.
The security firm warned that there had been nearly 5,000
internet-exposed R1Soft servers at the time and hackers could
exploit the vulnerability to push ransomware to these systems.
During a recent incident response case, cybersecurity company
Fox-IT found evidence that the R1Soft vulnerability had been
exploited to gain initial access to a server. The attackers then
deployed a malicious database driver that gave them backdoor
access.
An analysis by Fox-IT showed that the vulnerability has been
exploited in the wild
since late November 2022. On January 9, Fox-IT identified 286
backdoored servers, mainly in the United States and South Korea. As
of February 20, the number dropped to 146 backdoored servers.
“With the help of fingerprinting, we have identified multiple
compromised hosting providers globally,” Fox-IT said in a blog post
on Wednesday.
