Microsoft has discovered an actively exploited security vulnerability in the SolarWinds Serv-U Managed File Transfer Server and Secured FTP products. Fixes are urgently needed.
No respite for businesses from cyberattacks. Hackers have been stepping up their malicious campaigns for several months (Exchange flaw, Kaseya, etc.) resulting in a shower of intrusions, theft, data encryption and ransom demands. At the end of 2020, we also remember the shock caused by the discovery of the SolarWinds hack, with global repercussions, which led to massive and targeted attacks targeting 150 companies. The publisher is talking about him again today, Microsoft having warned him of an actively exploited security flaw. “SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and has developed a patch to address this flaw,” the vendor explained. “Even though Microsoft’s research indicates that this exploit involves a limited, targeted set of customers and a single group of cybercriminals, our joint teams have mobilized to address it quickly.” Serv-U Managed File Transfer Server and Secured FTP are tools for managing and transferring secure files and FTP.
“The vulnerability exists in the latest version of Serv-U 15.2.3 HF1 released on May 5, 2021 and all prior versions,” SolarWinds warned. “A malicious actor who successfully exploited this flaw could execute arbitrary code with privileges. An attacker could then install programs and run them; view, modify or delete data”. To access the Serv-U 15.2.3 HF2 patch, users of its solutions must go to the dedicated customer portal. Support is also available for those who are not registered. The number of customers potentially exposed was not specified. According to Microsoft, which created a PoC of the exploit demonstrating the operation and the dangerousness of the attack, the impact concerns a “limited” number of users. “SolarWinds does not currently have an estimate of the number of customers that may be directly affected by the vulnerability. We are not aware of the identity of the potentially affected customers,” the publisher said.
Signs of compromise to know
To find out if one of its environments has been compromised by this flaw, the publisher recommends making sure of it by following three steps: the first is to know if the SSH connection is indeed activated. If this is not the case, this exploit is not operational. If applicable, this vulnerability has the particularity of throwing an exception and intercepting exception handling code used to execute malicious commands. We must then dive into the DebugSocketlog.txt log file which may contain this exception: 07]Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5.
“Exceptions can be thrown for other reasons, so please collect logs to help determine your situation,” SolarWinds said. Finally, you should also closely monitor SSH connections from the following IP addresses that can be used by hackers. Namely 184.108.40.206 and 220.127.116.11 as well as connections via TCP 443 from this IP address 18.104.22.168.