Server backup vulnerability piggybacked to live systems

Open source bug leads to server backup bug leads to... crime.

Server backup vulnerability piggybacked to live systems

A UK provider of Infrastructure-as-a-Service (IaaS) to retail and institutional financial market traders was among the companies publicly exposed to a vulnerability that is being exploited in the wild, security researchers say; a worrying sign after another market services provider, ION, was hit by ransomware, roiling markets in February.

The vulnerability under attack is CVE-2022-36537. CISA confirmed it as being actively exploited on January 27. (Evidence of exploitation goes back to at least November 29, 2022, researchers at NCC’s FOX-IT say.)

The bug affects server backup software from ConnectWise that has been exploited by attackers – who are using the vulnerable agent to ride into other servers that are being backed up; effectively surfing backwards from backup systems to live environments from which they can steal critical data or drop malware as they choose.

R1Soft Server Backup Manager software vulnerability: CVE-2022-36537 abused
Best to just... turn that one off then.

R1Soft Server Backup Manager software vulnerability: CVE-2022-36537 abused

The bug is in the open source ZK Java framework. It was first spotted by Markus Wulftange of Code White GmbH who disclosed responsibly and helped encourage the patched release of ZK version 9.7.2 in May 2022.

Among the products using the vulnerable open source component was ConnectWise’s R1Soft Server Backup Manager software.

Wulftange’s colleague @frycos initially tried to disclose the vulnerability to ConnectWise but failed to get a response within 90 days, so published a proof-of-concept (PoC), which was rapidly affirmed as effective by fellow security researchers at Huntress.

Huntress researchers successfully built on the POC to leak server private key files, software licenses, system configuration files – and gain Remote Code Execution (RCE) as the system superuser, and manipulate the R1Soft software to push further arbitrary code execution downstream to all registered endpoints.

ConnectWise later engaged with security researchers and pushed a patch live on October 28. But unpatched instances have since been exploited by hackers for initial access and lateral movement. (Nearly 1,800 service providers use the software to protect 250,000 servers; nearly 5,000 were initially publicly exposed says Huntress.)

  • ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted.
  • R1Soft: SBM v6.16.3 and earlier versions are impacted.
  • Original R1Soft Server Backup Manager software vulnerability advisory is here

Backup agent being used to piggyback to other systems

Most companies affected rapidly patched or pulled exposed interfaces offline – there were 4,738 instances exposed at the initial time of disclosure in October 2022. Researchers at FOX-IT said in a February 22 blog that as of early this year they could still identify 286 servers running vulnerable versions of the software.

The NCC Group-owned firm said that it had also “found traces of an adversary leveraging ConnectWise R1Soft Server Backup Manager software… as an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent. This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges. This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent…”

Among those in the UK exposed according to FOX-IT’s analysis is an provider of low latency connectivity to numerous financial services clients. As ever, prompt patching where humanly possible is strongly advised.

Somewhat limited IOCs from FOX-IT as seen to-date here.

Follow The Stack on LinkedIn