TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

ConnectWise/R1Soft RCE & Supply Chain Risks | Huntress

2022-10-31 · Read original ↗

ATT&CK techniques detected

9 predictions
T1190Exploit Public-Facing Application
99%
"connectwise / r1soft rce & supply chain risks | huntress update 2 / 27 / 23 : as recently spotted by fox - it and subsequently reported in securityweek, a critical vulnerability discovered last year in connectwise ’ s r1soft server backup manager software has now been seen exploi…"
T1190Exploit Public-Facing Application
99%
"complete timeline - may 2022 - markus wulftange of code white gmbh discloses zk auth bypass - july 2022 - florian hauser of code white gmbh attempts to report to connectwise - 14 october 2022 - florian hauser teases initial authentication bypass screenshots on twitter - 16 octobe…"
T1190Exploit Public-Facing Application
98%
"respond to security issues — and to act quickly before bad actors take advantage of known exploits. our findings huntress security researchers john hammond and caleb stewart conducted the work to recreate the proof - of - concept and explore its impact. we were able to retrieve a…"
T1486Data Encrypted for Impact
77%
"##ress has validated an initial report for an authentication bypass and sensitive file leak present in the java framework “ zk ”, used within the connectwise r1soft software server backup manager se. this post details the severity of this supply chain finding, emphasizes the imme…"
T1190Exploit Public-Facing Application
58%
"severity of this issue by running our poc exploit to : - bypass authentication - upload a backdoored jdbc database driver to gain code execution - use the rest api to trigger commands to registered agents to ultimately push the recently leaked lockbit 3. 0 ransomware to all downs…"
T1486Data Encrypted for Impact
48%
"severity of this issue by running our poc exploit to : - bypass authentication - upload a backdoored jdbc database driver to gain code execution - use the rest api to trigger commands to registered agents to ultimately push the recently leaked lockbit 3. 0 ransomware to all downs…"
T1068Exploitation for Privilege Escalation
47%
"of - concept further. at this point, we deviated from the zk vulnerability itself and were leveraging features and functionality of the r1soft application itself. zk opened the door with the authentication bypass — but now, as an admin user, we had the same power and privileges a…"
T1068Exploitation for Privilege Escalation
37%
"severity of this issue by running our poc exploit to : - bypass authentication - upload a backdoored jdbc database driver to gain code execution - use the rest api to trigger commands to registered agents to ultimately push the recently leaked lockbit 3. 0 ransomware to all downs…"
T1190Exploit Public-Facing Application
34%
"##ress has validated an initial report for an authentication bypass and sensitive file leak present in the java framework “ zk ”, used within the connectwise r1soft software server backup manager se. this post details the severity of this supply chain finding, emphasizes the imme…"

Summary

Huntress has validated an initial report for an authentication bypass and sensitive file leak present in the Java framework “ZK”, used within the ConnectWise R1Soft software Server Backup Manager SE.