ConnectWise last week patched a critical software flaw found by Huntress security researchers.
The vulnerability could have been used to execute code remotely and push ransomware into approximately 5,000 ConnectWise R1Soft servers.
A ConnectWise partner said Florida-based company remotely fixed the flaw, which is part of the firm’s backup and disaster recovery products.
Huntress chief executive Kyle Hanslovan said that uncovering the flaw began with a researchers’ tweet and snowballed into the “ability to push ransomware through ~5,000 R1 Soft servers.”
He appeared caught off guard with ConnectWise announcing the critical flaw on a Friday.
“Whelp, wasn’t expecting this ConnectWise RCE to become public today."
"Guess we’ll publish on Monday how Huntress went from a researcher’s tweet to the ability to push ransomware through ~5,000 R1Soft servers that are exposed on Shodan,” Hanslovan said.
“#StayTuned for some amazing work by Caleb Stewart and John Hammond!”
Stewart, who along with Hammond on Monday will demonstrate how they uncovered the exploit, told CRN US their team tested the patch to see that it worked.
“What we were able to prove is that it was a full authentication bypass that you could use to exploit the server and get remote code execution, but because it’s a backup manager that manages a lot of other machines, other hosts, other agents – we could use that to get code execution on those registered agents, that the backup manager, managed,” Stewart told CRN US last week.
CRN US has reached out to ConnectWise for comment.
Once researchers paired that exploit with server search engine Shodan, Huntress found 5,000 unpatched servers it could take over without authentication and then execute remote code on those devices, as well as the machines they backed up.
“If we were the bad actors we could have reached out to all 5,000 servers and exploited all of them."
"And not just those individual servers themselves, but also any of the agents that they manage as well,” Stewart said.
“Aside from proving it, the work we did helps because this patch came out and we were able to very quickly pull that patch down and install the patched version and test our implementation of the exploit.”
ConnectWise has been a persistent target for cybercrime since the company’s MSP operational platform can give crooks the ability to remotely access thousands of customers through a single solution provider.
One such attack in 2019 exploited ConnectWise Control to ransom 22 school districts in Texas. Since then, the company has taken a more proactive security posture.
Stewart said the two companies were able to work together to solve this exploit quickly, which makes the entire ecosystem that much more secure.
“It’s great that we were able to find it and work closely with ConnectWise to figure it out,” he said.
“It not only helped us with our customers and the people we are protecting, but being able to push that information back through ConnectWise to get a solution out as quickly is possible I think is great,” he added.
ConnectWise regularly posts security updates for users of its product on the company’s website. In the last two years, there were patches for three “critical” security flaws.
