Threat Update
SolarWinds, an IT management and remote monitoring software developer that fell victim to the Sunburst supply chain attack, has been exploited again. However, the Serv-U zero day exploit is limited to targeted customer impact according to Microsoft. A patch has been released by SolarWinds in the Serv-U version 15.2.3 hotfix (HF) 2 update.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Microsoft discovered SolarWinds’ Serv-U products Remote Memory Escape Vulnerability that can be exploited by remote code execution or RCE. Once exploited the threat actor can run arbitrary code with privileges that will allow them unauthorized access to install programs; view, change and delete data; and execute malicious code. This threat is limited to the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows machines as the Linux version of the products will crash upon exploit attempt.
WHY IS IT NOTEWORTHY?
Serv-U Managed File Transfer Server and Serv-U Secured FTP is a multi-protocol file server capable of sending and receiving files from other networked computers. Although Serv-U products appear to be limited to a few consumers, more recently it seems threat actors have a tendency to target MSPs to gain access to multiple consumers.
WHAT IS THE EXPOSURE OR RISK?
The massive IT management and remote monitoring software company deploys their products to thousands of both public and private sector consumers. Microsoft has previously observed the China native threat actors, namely DEV-0322, targeting the U.S. Defense Industrial Base Sector and software companies. The combination of skilled threat actors, RCE vulnerability, and a massive software company that serves thousands of clients can lead to crippling ransomware attack for many. As previously mentioned, once exploited the attacker has the ability to alter data on an affected system.
WHAT ARE THE RECOMMENDATIONS?
Our SOC has implemented custom rules in our security monitoring platform to detect the indicators of compromise associated with the exploit. SolarWinds has recommended to update the Serv-U products to the Serv-U 15.2.3 HF2 as it has the patch for the Remote Memory Escape Vulnerability. SKOUT recommends:
- Disable SSH access on the Serv-U installation.
- Block the following IPs in your environment: 98[.]176[.]196[.]89; 68[.]235[.]178[.]32; 208[.]113[.]35[.]58; 144[.]34[.]179[.]162; 97[.]77[.]97[.]58
- Update software to the latest version, Serv-U 15.2.3 HF2, for security updates and patches.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html
- https://www.tenable.com/blog/cve-2021-35211-solarwinds-serv-u-managed-file-transfer-zero-day-exploited-dev-0322#:~:text=CVE%2D2021%2D35211%20is%20a,U%20SSH%20protocol%20externally%20accessible.
- https://www.securityweek.com/solarwinds-confirms-new-zero-day-flaw-under-attack
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35211
If you have any questions, please contact our Security Operations Center.
