The CVE-2021-35211 remote code execution vulnerability in Serv-U Managed File Transfer and Serv-U Secure FTP allows a remote threat actor to execute instructions on a susceptible server with elevated privileges.
After detecting “a single threat actor” leveraging it in assaults, SolarWinds issued an emergency security upgrade in July 2021.
Customers who have activated the SSH capability, which is widely used to further safeguard connections to the FTP server, are not affected by this issue, according to the business.
What Happened?
Clop ransomware attacks have increased in recent weeks, with the majority of them having as a starting point the exploitation of CVE-2021-35211.
The threat actors seem to be using Serv-U in the new assaults detected by NCC to launch a sub-process controlled by the attackers, allowing them to perform instructions on the target machine.
In this manner the malware will be deployed, network surveillance will be performed, and lateral movement will take place, thus setting the groundwork for a ransomware assault.
Exception errors in the Serv-U logs, which are created when the vulnerability is exploited, are a telltale clue that the weakness is being exploited.
Traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on the susceptible machine, are another evidence of exploitation.
The actors utilize a genuine scheduled process for routinely backing up registry hives and misuse the accompanying COM handler to load ‘FlawedGrace RAT’ for persistence.
As reported by BleepingComputer, NCC Group has created a useful checklist for system any administrators who suspect compromise:
- Check if your Serv-U version is vulnerable
- Locate the Serv-U’s DebugSocketlog.txt
- Search for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’ in this log file
- Check for Event ID 4104 in the Windows Event logs surrounding the date/time of the exception and look for suspicious PowerShell commands
- Check for the presence of a hijacked Scheduled Task named RegIdleBackup using the provided PowerShell command
- In case of abuse: the CLSID in the COM handler should NOT be set to {CA767AA8-9157-4604-B64B-40747123D5F2}
- If the task includes a different CLSID: check the content of the CLSID objects in the registry using the provided PowerShell command, returned Base64 encoded strings can be an indicator of compromise.
Unfortunately, it seems that many vulnerable Serv-U servers remain publicly accessible, with the most vulnerable Serv-U FTP instances being found in China and the United States.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module. This module is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
If you liked this article follow us on LinkedIn, Twitter, YouTube, Facebook, and Instagram to keep up to date with everything about cybersecurity.