Connect with us

Hi, what are you looking for?


Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks


The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.

The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges.

SolarWinds released an emergency security update in July 2021 after discovering a “a single threat actor” exploiting it in attacks.

The company also warned that this vulnerability only affects customers who have enabled the SSH feature, which is commonly used to further protect connections to the FTP server.

Vulnerability used in ransomware attacks

According to a new report by the NCC Group, there’s been an uptick in Clop ransomware infections in the past couple of weeks, with most of them starting with the exploitation of CVE-2021-35211.

While the Clop gang is known to use vulnerabilities in their attacks, such as the Accellion zero-day attacks, the researchers state that TA505 more commonly uses phishing emails with malicious attachments to breach networks.

In the new attacks spotted by NCC, the threat actors exploit Serv-U to spawn a sub-process controlled by the attackers, thus enabling them to run commands on the target system.

Advertisement. Scroll to continue reading.

This opens up the way for malware deployment, network reconnaissance, and lateral movement, essentially laying the ground for a ransomware attack.

A characteristic sign of this flaw being exploited is exception errors in the Serv-U logs, caused when the vulnerability is exploited.

The exception error shown in logs will be similar to the following string:

‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’

Another sign of exploitation is traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on the vulnerable system.

For persistence, the actors hijack a legitimate scheduled task that is used for regularly backing up registry hives and abuse the associated COM handler to load ‘FlawedGrace RAT.’

FlawedGrace is a tool that TA505 has been using since at least November 2017, and it remains a reliable part of the group’s arsenal.

NCC Group has posted the following handy checklist for system administrators who suspect compromise:

  • Check if your Serv-U version is vulnerable
  • Locate the Serv-U’s DebugSocketlog.txt
  • Search for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’ in this log file
  • Check for Event ID 4104 in the Windows Event logs surrounding the date/time of the exception and look for suspicious PowerShell commands
  • Check for the presence of a hijacked Scheduled Task named RegIdleBackup using the provided PowerShell command
  • In case of abuse: the CLSID in the COM handler should NOT be set to {CA767AA8-9157-4604-B64B-40747123D5F2}
  • If the task includes a different CLSID: check the content of the CLSID objects in the registry using the provided PowerShell command, returned Base64 encoded strings can be an indicator of compromise.

Despite the numerous alerts to apply the security update, many vulnerable Serv-U servers remain publicly accessible.

Most vulnerable Serv-U FTP instances are located in China, while the United States comes in second.

Countries with the most vulnerable Serv-U instances
Countries with the most vulnerable Serv-U instances
Source: NCC Group

It’s been almost four months since SolarWinds released the security update for this vulnerability, but the percentage of potentially vulnerable Serv-U servers remains above 60%.

“In July, 5945 (~94%) of all Serv-U (S)FTP services identified on port 22 were potentially vulnerable. In October, three months after SolarWinds released their patch, the number of potentially vulnerable servers is still significant at 2784 (66.5%),” warn the researchers in their report.

Advertisement. Scroll to continue reading.

Source link

Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.




The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its...

Top Stories

Cointelegraph’s Editor-in-Chief, Kristina Cornèr spoke at the United Nations Climate Change Conference, known as COP26, in Glasgow, Scotland, on Tuesday about the positive impact...

Social Media

With the holiday rush about to get fully underway, Facebook is this week sharing a range of business and marketing tips via video sessions...

Top Stories

Litecoin (LTC) has posted daily gains of almost 20% on Nov. 9, the highest levels for LTC/USD since May 2021, amid a wider cryptocurrency market...

Online Business Success

— Reuters/File Price of gold in the local bullion market gains Rs1,500 per tola to settle at Rs124,800 per tola. Fresh increase comes on...

Top Stories

Bitcoin (BTC) could nail the now-popular $98,000 price target — but it could end up being the cycle top, new research argues. In its...

Top Stories

Matter Labs has announced a major new funding round to further develop the second version of its Ethereum-based rollups, zkSync. On Nov. 9, Matter...


Source: Joe Keller / iMore Apple and Epic Games will collide in court once more on Tuesday, as the Cupertino company seeks a delay...


You May Also Like

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...


Sonos is one of the most popular wireless speaker brands in the world, and for good reason – its range of portable Bluetooth speakers,...

Online Business Success

File photo The Economist Intelligence Unit (EIU) has said that inflation will remain high in Pakistan for the next six months and the rupee...


In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...