However, because of the lack of evidence, it is impossible to find a connection between Spiral and DEV-0322. The Supernova webshell was previously used by a Chinese APT group, Spiral, during the December 2020 SolarWinds attack. This allowed the attackers to aim at all Internet-facing SSH ports and servers in the specific target sectors and create a backdoor. Once they bypassed authentication through the Secure Shell Protocol (SSH) flaw, they were able to deploy a Supernova webshell to the disk using a PowerShell command. The attackers gained initial access to a vulnerable server by leveraging an older Orion API vulnerability (CVE-2020-10148). ![]() Patches for the CVE were issued after the December 2020 Sunburst malware attack.Īccording to the Microsoft report, the DEV-0322 attacks were discovered during a routine test of the Windows Defender antivirus, which detected malicious processes originating from the Serv-U primary application. ![]() The Chinese group exploiting the FTP server was notably using the Orion API issue to remotely execute API commands to deploy a Supernova webshell. The vulnerability has been in use since it was last exploited in December 2020.Ĭlassified under two weakness enumerations, CWE-287 (Improper Authentication) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel), the CVE has a CVSS v3 score of 9.8 and is critical in severity. The attackers also actively exploited an existing SolarWinds Orion API vulnerability (CVE-2020-10148) to gain initial access to a vulnerable server.ĬVE-2020-10148 is an authentication bypass vulnerability in the SolarWinds Orion API. The remote memory escape vulnerability allows attackers to gain privileged access to machines hosting Serv-U products.Ī hotfix for the issue was released by SolarWinds on the day Microsoft discovered the zero-day vulnerability. The CVE is classified under CWE-668 (Exposure of Resource to Wrong Sphere) as a critical vulnerability with a CVSS v3 score of 10. Here is our analysis of the vulnerabilities.ĬVE-2021-35211 is a remote code execution vulnerability in the SolarWinds Serv-U product. The Chinese group, DEV-0322, exploited two CVEs to gain access to the Serv-U FTP server and conduct its target-specific attacks. SolarWinds released a hotfix for the zero-day vulnerability immediately after the discovery, and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on 13 July, 2021 to all SolarWinds users and administrators, emphasizing the urgency to implement the necessary updates. However, the issue only affects Serv-U 15.2.3 HF1 and older versions. Once the SSH is exposed to the Internet, attackers who successfully exploit it can run arbitrary code with remote privileges, allowing them to install and run malicious codes or view and change data. The recently discovered vulnerability exists in the implementation of the Serv-U Secure Shell (SSH) protocol. The news of the threat campaign comes in the wake of a series of recent attacks by the Russian APT group, Nobelium, which was involved in the Solarwinds Orion attack in December 2020. However, it is not yet certain if SPIRAL and DEV-0322 are related in any way.ĭEV-0322 was seen using CVE-2021-35211 to launch limited and targeted attacks on organizations in the Asia-Pacific, before venturing towards the US defense industrial base sector and leading companies in the North American healthcare, hospitality, education, software, and telecommunication sectors. Another Chinese APT group called SPIRAL was also seen targeting vendors. The threat campaign was attributed to a Chinese group called DEV-0322. On July 9, 2021, Microsoft informed SolarWinds of a zero-day vulnerability ( CVE-2021-35211) in its Serv-U Managed File Transfer software that was being exploited in the wild. We urge customers to immediately update systems running SolarWinds Serv-U software to version 15.2.3 HF2 and above. The Serv-U vulnerability was used as an initial access technique deviating from their usual tactics of a phishing-based approach. ![]() The cybercrime threat actor, TA505, also known as Hive0065, uses Clop ransomware for extortion attacks. : An increase in Clop ransomware victims in the last few months was traced back to the SolarWinds Serv-U FTP vulnerability which is being abused by the threat actor, TA505.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |