Connect with us

Hi, what are you looking for?



Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability

The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection, cybersecurity and risk mitigation firm NCC Group reports.

The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection, cybersecurity and risk mitigation firm NCC Group reports.

Tracked as CVE-2021-35211, the security error affects Serv-U installations that have SSH enabled. An attacker able to exploit the bug could run arbitrary code on a vulnerable system.

The security issue was initially detailed on July 9, when SolarWinds shipped an urgent hotfix for it. The issue was already being targeted in attacks, and days later Microsoft attributed the activity to a Chinese threat group.

In a Monday report, UK-based NCC Group revealed that Russian cybercriminals are also targeting the vulnerability, which marks a shift from their typical phishing-based tactic.

Evil Corp, which is also referred to as TA505, and which is best known for operating the Dridex Trojan and ransomware families such as Locky, Bart, BitPaymer, and WastedLocker, was previously observed exploiting the vulnerability known as Zerologon.

According to NCC Group, a surge in Clop ransomware attacks over the past several weeks led to the discovery of TA505 activity associated with SolarWinds Serv-U exploitation.

Following successful exploitation of CVE-2021-35211, the Serv-U server spawns a subprocess the adversary can control, which allows them to run commands and deploy additional payloads for further network compromise.

Advertisement. Scroll to continue reading.

As part of the attacks, PowerShell commands were used to deploy a Cobalt Strike Beacon, the researchers explain.

Furthermore, the attackers hijacked a scheduled task named RegIdleBackup that allowed them to achieve persistence on the compromised machines. At the next stage, the FlawedGrace RAT would be deployed.

Organizations are advised to identify any potentially vulnerable Serv-U FTP servers within their environments and apply the available patches as soon as possible, to ensure they remain protected.

Administrators can identify potential compromise by looking for suspicious entries in the DebugSocketlog.txt Serv-U log file, where specific exceptions related to attacks are logged. They should also check for suspicious PowerShell commands and for the RegIdleBackup task abuse.

NCC Group notes that most of the Serv-U FTP services that are potentially vulnerable are located in China (1,141) and the United States (549).

Serv-U version 15.2.3 hotfix and later versions address the issue.

Related: Russia-Linked TA505 Back at Targeting Financial Institutions

Related: Russian ‘Evil Corp’ Cybercriminals Possibly Evolved Into Cyberspies

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.