ConnectWise’s R1Soft Server Backup Manager software is being exploited by hackers to deploy backdoors on hundreds of servers. A vulnerability discovered last year in the software was patched but has been targeted by hackers to gain initial access to a server, then deploy a malicious database driver to gain backdoor access.
The flaw was initially disclosed in October 2022, and ConnectWise warned at the time that the vulnerability was at high risk of being exploited in the wild. However, Huntress, a managed endpoint detection and response firm, disclosed later that the flaw was an authentication bypass and sensitive file leak vulnerability affecting the ZK Java framework used by the R1Soft software.
Cybersecurity company Fox-IT discovered that the R1Soft vulnerability has been exploited in the wild since late November 2022. As of February 20, Fox-IT identified 146 backdoored servers, a drop from 286 that were identified on January 9.
Most of the compromised servers were found in the United States and South Korea, and multiple hosting providers globally were found to be affected. The attackers exfiltrated files from the compromised systems, including IT admin information, VPN configuration files, and sensitive documents.
Fox-IT has released indicators of compromise (IoCs) that can help organizations determine whether their systems have been hacked through exploitation of CVE-2022-36537. The firm has advised organizations that use R1Soft software to check if their installations are affected and patch the vulnerability as soon as possible.
Organizations are also advised to conduct internal security assessments and review their logs to identify any suspicious activity. The recent incident highlights the importance of patching vulnerabilities and regularly conducting security assessments to mitigate the risk of cyberattacks.
