Advertisement

Security News

ConnectWise’s R1Soft Vulnerability: Huntress Researcher Answers Five Questions

O’Ryan Johnson

Caleb Stewart, one of the Huntress researchers who worked on an exploit that could have infected thousands of ConnectWise customers, tells CRN, ‘It’s great we were able to find it.’

A security exploit in ZK, an application for Java developers, was later found to be a backdoor that would have allowed threat researchers with Huntress to install ransomware on ConnectWise R1Soft, which manages backup servers, as well as any agents those servers were connected to.

Huntress researchers John Hammond and Caleb Stewart worked on the exploit together, when it was introduced as a way to bypass authentication and login to R1Soft – with admin privileges.

“We caught wind of this and thought, ‘Wow. There’s a significant impact even in just that authentication bypass. And then the sensitive file leak and other information you might be able to retrieve, so we decided to look into it,” Hammond said. “We thought can this be weaponized further? Because a backup server, that’s potentially a crown jewel for a threat actor.”

[RELATED: Connectwise Buys Wise-Sync, A ‘Good Add-On’ For MSPs]

The vulnerability was first discovered earlier this year by Markus Wulftange, a senior penetration tester with Code White, a German cybersecurity firm. It was patched by ZK, which sent out an advisory along with a new version of the product, Huntress said.

However, ConnectWise R1Soft server backup manager used an unpatched version. The two said by chaining together developer software, they were finally able to send remote code. Then running Shodan, the server search engine, the team was able to see how many potential targets they could infect.

ConnectWise patched the software on Friday, sending hotfixes to all cloud-connected products. ConnectWise has not responded to attempts to reach them for comment. A ConnectWise user reached Friday said the company has improved considerably in how it handles security for its MSP partners.

The project took Huntress about two weeks to carry out.

Meanwhile, Huntress’ Stewart talked with CRN about the satisfaction of being able to work on a security flaw before the criminals get to it as well as how dangerous this could have been. Here’s what Stewart had to say.

 
Learn More: Cybersecurity
O’Ryan Johnson

O’Ryan Johnson is a veteran news reporter. He covers the data center beat for CRN and hopes to hear from channel partners about how he can improve his coverage and write the stories they want to read. He can be reached at ojohnson@thechannelcompany.com..

Advertisement
Advertisement
Sponsored Post
Advertisement
Advertisement