{Updated on January 24, 2022}: On January 19, 2022, SolarWinds issued an advisory and a fix for a vulnerability identified as CVE-2021-35247 that was being leveraged in Log4J attacks.
CVE-2021-35247 is an input validation vulnerability that can, given some input, allow attackers to build a query and send it over the network without sanitation.
On January 22, CISA included the vulnerability and 16 others in an update to the Known Exploited Vulnerabilities Catalog, with a patch deadline for the first week of February.
We, therefore, urge organizations to update their Serv-U servers to version 15.3 to mitigate the issue before the February deadline.
{Updated on January 5, 2022}: An increase in Clop ransomware victims in the last few months was traced back to the SolarWinds Serv-U FTP vulnerability which is being abused by the threat actor, TA505.
The cybercrime threat actor, TA505, also known as Hive0065, uses Clop ransomware for extortion attacks. The Serv-U vulnerability was used as an initial access technique deviating from their usual tactics of a phishing-based approach.
We urge customers to immediately update systems running SolarWinds Serv-U software to version 15.2.3 HF2 and above.
On July 9, 2021, Microsoft informed SolarWinds of a zero-day vulnerability (CVE-2021-35211) in its Serv-U Managed File Transfer software that was being exploited in the wild. The threat campaign was attributed to a Chinese group called DEV-0322. Another Chinese APT group called SPIRAL was also seen targeting vendors. However, it is not yet certain if SPIRAL and DEV-0322 are related in any way.
DEV-0322 was seen using CVE-2021-35211 to launch limited and targeted attacks on organizations in the Asia-Pacific, before venturing towards the US defense industrial base sector and leading companies in the North American healthcare, hospitality, education, software, and telecommunication sectors. The news of the threat campaign comes in the wake of a series of recent attacks by the Russian APT group, Nobelium, which was involved in the Solarwinds Orion attack in December 2020.
The recently discovered vulnerability exists in the implementation of the Serv-U Secure Shell (SSH) protocol. Once the SSH is exposed to the Internet, attackers who successfully exploit it can run arbitrary code with remote privileges, allowing them to install and run malicious codes or view and change data. However, the issue only affects Serv-U 15.2.3 HF1 and older versions.
SolarWinds released a hotfix for the zero-day vulnerability immediately after the discovery, and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on 13 July, 2021 to all SolarWinds users and administrators, emphasizing the urgency to implement the necessary updates.
Serv-U FTP CVE Findings
The Chinese group, DEV-0322, exploited two CVEs to gain access to the Serv-U FTP server and conduct its target-specific attacks. Here is our analysis of the vulnerabilities.
CVE-2021-35211
-
CVE-2021-35211 is a remote code execution vulnerability in the SolarWinds Serv-U product.
-
The CVE is classified under CWE-668 (Exposure of Resource to Wrong Sphere) as a critical vulnerability with a CVSS v3 score of 10.
-
The remote memory escape vulnerability allows attackers to gain privileged access to machines hosting Serv-U products.
-
A hotfix for the issue was released by SolarWinds on the day Microsoft discovered the zero-day vulnerability.
The attackers also actively exploited an existing SolarWinds Orion API vulnerability (CVE-2020-10148) to gain initial access to a vulnerable server.
CVE-2020-10148
-
CVE-2020-10148 is an authentication bypass vulnerability in the SolarWinds Orion API. The vulnerability has been in use since it was last exploited in December 2020.
-
Classified under two weakness enumerations, CWE-287 (Improper Authentication) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel), the CVE has a CVSS v3 score of 9.8 and is critical in severity.
-
The Chinese group exploiting the FTP server was notably using the Orion API issue to remotely execute API commands to deploy a Supernova webshell.
-
Patches for the CVE were issued after the December 2020 Sunburst malware attack.
DEV-0322 Attack Methodology
According to the Microsoft report, the DEV-0322 attacks were discovered during a routine test of the Windows Defender antivirus, which detected malicious processes originating from the Serv-U primary application.
The attackers gained initial access to a vulnerable server by leveraging an older Orion API vulnerability (CVE-2020-10148). Once they bypassed authentication through the Secure Shell Protocol (SSH) flaw, they were able to deploy a Supernova webshell to the disk using a PowerShell command. This allowed the attackers to aim at all Internet-facing SSH ports and servers in the specific target sectors and create a backdoor.
The Supernova webshell was previously used by a Chinese APT group, Spiral, during the December 2020 SolarWinds attack. However, because of the lack of evidence, it is impossible to find a connection between Spiral and DEV-0322.
IoCs |
98[.]176[.]196[.]89 68[.]235[.]178[.]32 208[.]113[.]35[.]58 144[.]34[.]179[.]162 97[.]77[.]97[.]58 hxxp://144[.]34[.]179[.]162/a C:\Windows\Temp\Serv-U.bat C:\Windows\Temp\test\current.dmp |
SolarWinds chose not to disclose the details of the attack.
Microsoft discovered that the same CVE was being used to carry out limited and targeted attacks on specific sectors by a previously unknown threat group. Although SolarWinds was informed about the persistent attacks in Microsoft’s report, the organization chose not to disclose it publicly.
After facing considerable pressure from the cybersecurity community, SolarWinds relented and disclosed the details of the attack to ensure clients could take countermeasures to detect and block any further attacks.
Serv-U FTP Server Exposure Analysis
Our exposure analysis using Shodan shows more than 70,000 Internet-facing SolarWinds Serv-U FTP servers. Alarmingly, many organizations have been slow to update their servers despite warnings.
Staying up-to-date is recommended
The advisory issued by Microsoft and the guidance provided by SolarWinds urges administrators to check for indicators of compromise within their infrastructure.
Companies using the SolarWinds Serv-U file transfer servers can avoid being attacked by either disabling SSH access to their servers or by installing the hotfix issued by SolarWinds.
Attackers need only one exploitable flaw to initiate an attack to take down organizations. Therefore, the need to adopt a risk-based approach to manage the vulnerabilities in attack surfaces is paramount if organizations wish to boost their security posture.
To know more about CSW’s Vulnerability Management as a Service (VMaaS), click here.