[German]US Vendor SolarWinds, hacked in 2020 and allowing attackers to infiltrate thousands of customer systems via Orion software, has now closed a 0-day vulnerability in Serv-U with an update. The remote execution vulnerability CVE-2021-35211, which occurs in the file transfer functions, has already been exploited in the wild.
The vulnerability was discovered by Microsoft (see also the following tweet). Catalin Cimpanu has compiled the details in this article – another post can be found at Bleeping Computer.
Last week Friday (July 10, 2021), SolarWinds issued a security advisory addressing. The vendor was recently notified by Microsoft about a vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP. As a result, a hotfix was developed to address this vulnerability. Although Microsoft's research indicates that this vulnerability is only being exploited by a limited number of customers and a single threat actor, the vulnerability was quickly addressed through a patch.
The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, 2021, as well as all previous versions. An attacker who successfully exploited this vulnerability could execute arbitrary code with privileges. An attacker could then install programs; view, modify, or delete data; or run programs on the affected system.
The vendor recommends customers install these updates immediately. Alternatively, SSH can be installed on affected products to prevent exploitation of the vulnerability. Further details can be found in the SolarWinds security advisory.
Addendum: Microsoft has published this blog post. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Four more security vendors confirm SolarWinds incidents
Accusation: Microsoft failed with security in the SolarWinds hack
SolarWinds: Update for Orion software; attackers had access to top DHS accounts
Cookies helps to fund this blog: Cookie settings