{"id":7512,"date":"2021-08-11T19:54:32","date_gmt":"2021-08-12T02:54:32","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7512"},"modified":"2023-04-11T10:22:36","modified_gmt":"2023-04-11T17:22:36","slug":"critical-solarwinds-serv-u-ftp-flaw-exploited-by-new-chinese-threat-group","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/critical-solarwinds-serv-u-ftp-flaw-exploited-by-new-chinese-threat-group\/","title":{"rendered":"Critical SolarWinds Serv-U FTP Flaw Exploited by New Chinese Threat Group"},"content":{"rendered":"

 <\/p>\n

\n

{Updated on January 24, 2022}:<\/strong> On January 19, 2022, SolarWinds issued an advisory and a fix for a vulnerability identified as CVE-2021-35247 that was being leveraged in Log4J attacks.<\/p>\n

CVE-2021-35247\u00a0 is an input validation vulnerability that can, given some input, allow attackers to build a query and send it over the network without sanitation.<\/p>\n

On January 22, CISA included the vulnerability and 16 others in an update to the Known Exploited Vulnerabilities Catalog, with a patch deadline for the first week of February.\u00a0<\/strong><\/p>\n

We, therefore,\u00a0urge organizations to update their Serv-U servers to version 15.3 to mitigate the issue before the February deadline.<\/strong><\/p>\n<\/blockquote>\n

{Updated on January 5, 2022}: <\/strong>An increase in Clop ransomware victims in the last few months was traced back to the SolarWinds Serv-U FTP vulnerability which is being abused by the threat actor, TA505.<\/p>\n

The cybercrime threat actor, TA505, also known as Hive0065, uses Clop ransomware for extortion attacks. The Serv-U vulnerability was used as an initial access technique deviating from their usual tactics of a phishing-based approach.<\/p>\n

We urge customers to immediately update systems running SolarWinds Serv-U software to version 15.2.3 HF2 and above.\u00a0<\/strong><\/p>\n

 <\/p>\n

On July 9, 2021, Microsoft informed <\/a>SolarWinds of a zero-day vulnerability (CVE-2021-35211<\/a>) in its Serv-U Managed File Transfer software that was being exploited in the wild. The threat campaign was attributed to<\/a> a Chinese group called DEV-0322. Another Chinese APT group called SPIRAL was also seen targeting vendors<\/a>. However, it is not yet certain if SPIRAL and DEV-0322 are related in any way.<\/strong><\/p>\n

DEV-0322 was seen using CVE-2021-35211<\/a> to launch limited and targeted attacks on organizations in the Asia-Pacific, before venturing towards the US defense industrial base sector and leading companies in the North American healthcare, hospitality, education, software, and telecommunication sectors. The news of the threat campaign comes in the wake of a series of recent attacks<\/a> by the Russian APT group, Nobelium, which was involved in the Solarwinds Orion attack<\/a> in December 2020<\/a>.<\/p>\n

The recently discovered vulnerability exists in the implementation of the Serv-U Secure Shell (SSH) protocol. Once the SSH is exposed to the Internet, attackers who successfully exploit it can run arbitrary code with remote privileges, allowing them to install and run malicious codes or view and change data. However, the issue only affects Serv-U 15.2.3 HF1 and older versions.<\/p>\n

SolarWinds released a hotfix<\/a> for the zero-day vulnerability immediately after the discovery, and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning<\/a> on 13 July, 2021 to all SolarWinds users and administrators, emphasizing the urgency to implement the necessary updates.<\/p>\n

 <\/p>\n

Serv-U FTP CVE Findings<\/strong><\/h2>\n

 <\/p>\n

The Chinese group, DEV-0322, exploited two CVEs to gain access to the Serv-U FTP server and conduct its target-specific attacks. Here is our analysis of the vulnerabilities.<\/p>\n

 <\/p>\n

CVE-2021-35211<\/strong><\/p>\n