Storagecraft Image Manager Exploit !new! Review

StorageCraft released version 7.8.1 on August 26, 2021, which enforced authentication for the management API and sanitized command inputs.

Because exploits happen, assume the ImageManager server will be compromised. Use a secondary immutable repository: storagecraft image manager exploit

on a server could recover the plain-text passwords for FTPS replication targets. : The vulnerability resides in how ImageManager (now part of ) stores credentials for offsite replication. StorageCraft released version 7

Vulnerable versions of ImageManager have been observed in ransomware incident response (IR) reports throughout 2022 and 2023. In one notable case, an MSP using a legacy version of StorageCraft had their ImageManager instance compromised via port 1357. The attacker did not deploy ransomware immediately. Instead, they used the RCE to install Cobalt Strike beacons on the backup server, waited two weeks for the clean backups to age out, then triggered the ransomware, and finally purged the remaining shadow copies via the ImageManager API. The client had no recoverable backups. : The vulnerability resides in how ImageManager (now

: Standard installations of ImageManager often have ports 8888 or 32846 open. Attackers can use these ports to identify the software version and target unpatched instances. The Arcserve UDP Connection

If you performed a vulnerability scan on your backup server last month, would it have flagged port 1357 as "unauthenticated RCE"? If you are unsure, assume you are compromised. Isolate your ImageManager server now, audit the logs for the last 180 days, and force a password reset.