Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability

The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection, cybersecurity and risk mitigation firm NCC Group reports.

The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection, cybersecurity and risk mitigation firm NCC Group reports.

Tracked as CVE-2021-35211, the security error affects Serv-U installations that have SSH enabled. An attacker able to exploit the bug could run arbitrary code on a vulnerable system.

The security issue was initially detailed on July 9, when SolarWinds shipped an urgent hotfix for it. The issue was already being targeted in attacks, and days later Microsoft attributed the activity to a Chinese threat group.

In a Monday report, UK-based NCC Group revealed that Russian cybercriminals are also targeting the vulnerability, which marks a shift from their typical phishing-based tactic.

Evil Corp, which is also referred to as TA505, and which is best known for operating the Dridex Trojan and ransomware families such as Locky, Bart, BitPaymer, and WastedLocker, was previously observed exploiting the vulnerability known as Zerologon.

According to NCC Group, a surge in Clop ransomware attacks over the past several weeks led to the discovery of TA505 activity associated with SolarWinds Serv-U exploitation.

Following successful exploitation of CVE-2021-35211, the Serv-U server spawns a subprocess the adversary can control, which allows them to run commands and deploy additional payloads for further network compromise.

As part of the attacks, PowerShell commands were used to deploy a Cobalt Strike Beacon, the researchers explain.

Advertisement. Scroll to continue reading.

Furthermore, the attackers hijacked a scheduled task named RegIdleBackup that allowed them to achieve persistence on the compromised machines. At the next stage, the FlawedGrace RAT would be deployed.

Organizations are advised to identify any potentially vulnerable Serv-U FTP servers within their environments and apply the available patches as soon as possible, to ensure they remain protected.

Administrators can identify potential compromise by looking for suspicious entries in the DebugSocketlog.txt Serv-U log file, where specific exceptions related to attacks are logged. They should also check for suspicious PowerShell commands and for the RegIdleBackup task abuse.

NCC Group notes that most of the Serv-U FTP services that are potentially vulnerable are located in China (1,141) and the United States (549).

Serv-U version 15.2.3 hotfix and later versions address the issue.

Related: Russia-Linked TA505 Back at Targeting Financial Institutions

Related: Russian ‘Evil Corp’ Cybercriminals Possibly Evolved Into Cyberspies

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...