Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability
The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection, cybersecurity and risk mitigation firm NCC Group reports.
Tracked as CVE-2021-35211, the security error affects Serv-U installations that have SSH enabled. An attacker able to exploit the bug could run arbitrary code on a vulnerable system.
The security issue was initially detailed on July 9, when SolarWinds shipped an urgent hotfix for it. The issue was already being targeted in attacks, and days later Microsoft attributed the activity to a Chinese threat group.
In a Monday report, UK-based NCC Group revealed that Russian cybercriminals are also targeting the vulnerability, which marks a shift from their typical phishing-based tactic.
Evil Corp, which is also referred to as TA505, and which is best known for operating the Dridex Trojan and ransomware families such as Locky, Bart, BitPaymer, and WastedLocker, was previously observed exploiting the vulnerability known as Zerologon.
According to NCC Group, a surge in Clop ransomware attacks over the past several weeks led to the discovery of TA505 activity associated with SolarWinds Serv-U exploitation.
Following successful exploitation of CVE-2021-35211, the Serv-U server spawns a subprocess the adversary can control, which allows them to run commands and deploy additional payloads for further network compromise.
As part of the attacks, PowerShell commands were used to deploy a Cobalt Strike Beacon, the researchers explain.
Furthermore, the attackers hijacked a scheduled task named RegIdleBackup that allowed them to achieve persistence on the compromised machines. At the next stage, the FlawedGrace RAT would be deployed.
Organizations are advised to identify any potentially vulnerable Serv-U FTP servers within their environments and apply the available patches as soon as possible, to ensure they remain protected.
Administrators can identify potential compromise by looking for suspicious entries in the DebugSocketlog.txt Serv-U log file, where specific exceptions related to attacks are logged. They should also check for suspicious PowerShell commands and for the RegIdleBackup task abuse.
NCC Group notes that most of the Serv-U FTP services that are potentially vulnerable are located in China (1,141) and the United States (549).
Serv-U version 15.2.3 hotfix and later versions address the issue.