Active exploit of ZK Java Web Framework vulnerability

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – High (CVSSv3 base score of 7.5): Compromise will result in the loss of confidentiality and integrity of data.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-level security vulnerability, being tracked as CVE-2022-36537, to their Known Exploited Vulnerabilities (KEV) catalogue. The vulnerability affects the ZK Java Framework and can impact various products. The vulnerability has emerged via an issue in the ZK Framework’s AuUploader component that allows a threat actor to forward HTTP requests to an internal URI. A proof-of-concept (PoC) was created for the vulnerability in December 2022, in which it was discovered that the security flaw could be weaponised to implement several infection vectors, including:

– Authentication bypass
– Upload of a backdoored version of the JDBC database driver
– Deployment of ransomware.

A similar disclosure was also released on 22nd February 2023, stating that threat actors were also exploiting the vulnerability against ConnectWise R1Soft servers.

As it pertains to the ZK Framework, CVE-2022-36537 has been classified as an information disclosure vulnerability. However, within the context of ConnectWise R1Soft servers, the security flaw relates to a remote code execution.

Impact

Successful exploitation of CVE-2022-36537 will grant a threat actor with access to sensitive data via a crafted POST request that is sent to the component AuUploader.

It has also been reported that throughout the time period of reported compromise, the associated threat actor has successfully exfiltrated VPN configuration files, IT administration data and other sensitive files.

Vulnerability Detection

The respective vendors have released the required security patches for the vulnerability of the respective product versions. As such, previous versions are vulnerable to potential exploits.

Affected Products

– ZK Framework versions 9.6.1 and below
– ConnectWiseRecover versions 2.9.7 and below
– ConnectWise R1Soft Server Backup Manager (SBM) version 6.16.3 and below

Containment, Mitigations & Remediations

ConnectWise R1Soft Server Backup Manager users are strongly recommended to update their R1Soft installations to the fixed version, v6.16.4. Users should also examine their environments for signs of compromise.

ZK Framework users should likewise update to the fixed version (v9.6.2) immediately.

Since ConnectWise R1Soft appears to be the primary vector for known attacks as of the time of writing, it is strongly advised that these patches are prioritised.

Indicators of Compromise

As it pertains to the JDBC driver, the following Indicators of Compromise (IoCs) have been disclosed:

– The server log file (/usr/sbin/r1soft/log/server.log)
– The agent logs (C:\Program Files\Server Backup Agent\log\cdp.log)

Associated R1Soft server.log IP addresses:

– 5.8.33[.]147
– 45.61.139[.]187
– 45.159.248[.]213
– 77.91.101[.]140
– 142.11.195[.]29

Threat Landscape

ConnectWise and ZK occupy a significant proportion of the Enterprise Application and Web Framework market shares, respectively. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, ConnectWise and ZK become prime targets. Due to the fact that Enterprise Applications and Web Frameworks have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within these platforms in an attempt to extract the sensitive data contained therein.

The majority of discovered infections have been located to the US, South Korea, the UK, Canada, Spain, Colombia, Malaysia, Italy, India and Panama. A total of 146 R1Soft servers were detected to have remained backdoored as of 20th February 2023.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:
TA0002 – Execution
TA0010 – Exfiltration

Technique – Defence Evasion:
T1556 – Modify Authentication Process

Technique – Discovery:
T1426 – System Information Discovery

Further Information

Rapid7 Blog
CISA Advisory
Huntress Report
Archive.is Analysis