We are sharing this information as a call to action for organisations using SolarWinds Serv-U software and incident responders currently dealing with Clop ransomware. NCC Group strongly advises updating systems running SolarWinds Serv-U software to the most recent version (at minimum version 15.2.3 HF2) and checking whether exploitation has happened as detailed below. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Clop ransomware. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. Apply the Principle of Least Privilege to all systems and services.NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks.Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.Update to SolarWinds ServU-FTP Version 15.2.2 HF1.Update to SolarWinds Orion Platform Version 2020.2.4.Apply appropriate updates provided by SolarWinds to vulnerable systems, immediately after appropriate testing.We recommend the following actions be taken: The attacker is then able to log in via FTP and read or replace any file on the server since the FTP server runs with LocalSystem permissions. By setting a simple field in the file and setting the home directory to the root of the system drive, an authenticated attacker can drop a file that defines a new admin user, which the ServU-FTP will automatically detect. These files can be created by any authenticated user. The SolarWinds Serv-U FTP Server stores user accounts in a separate files on the disk.After authenticating to the Microsoft SQL Server with the decrypted credentials, a threat actor would have complete control over the SolarWinds Orion database and could steal information or add admin-level users. The sensitive data in the SOLARWINDS_ORION configuration file can be read locally by authenticated users. Credentials for the SolarWinds Orion backend database were insufficiently protected, which allows local authenticated users to have unrestricted access to them.This could allow an attacker to gain complete control of the underlying Windows system. Unauthenticated remote users can send messages to the queues over TCP port 1801 and can execute arbitrary code due to an insecure deserialization. The SolarWinds Orion Collector service relies heavily on Microsoft Message Queue (MSMQ), with a large list of private queues available.Details of these vulnerabilities are as follows: Multiple vulnerabilities have been discovered in SolarWinds Orion and ServU-FTP, the most severe of which could allow for remote code execution.
0 Comments
Leave a Reply. |