SolarWinds just can't seem to keep its name out of the news.
The company that was victim to one of the most well-known cybersecurity attacks on record in December 2020 just announced a new security advisory related to a Zero-Day vulnerability.
Is the old saying "there's no such thing as bad press" still relevant?
SolarWinds Serv-U vulnerability
The company issued a warning that a small group of its customers were targeted in the attack. The vulnerability only affects those who use the Serv-U Managed File Transfer and Serv-U Secure FTP, and no other products were affected.
Below you can find SolarWinds' response to some frequently asked questions.
What exactly happened?
"Microsoft reported to SolarWinds that they had discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product. Microsoft provided a proof of concept of the exploit. If exploited, a threat actor may be able to gain privileged access to the threat actor on the machine hosting Serv-U.
To the best of our understanding, no other SolarWinds products have been affected by this vulnerability."
How can you tell if you have been compromised?
"The following steps are steps you can take to determine if your environment has been compromised:
1. Is SSH enabled for your Serv-U installation? If SSH is not enabled in the environment, the vulnerability does not exist.
2. Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack.
Please collect the DebugSocketlog.txt log file.
In the log file DebugSocketlog.txt you may see an exception, such as:
07] Tue 01Jun21 02:42:58 - EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5
Exceptions may be thrown for other reasons so please collect the logs to assist with determining your situation.
3. Are you seeing potentially suspicious connections via SSH? Look for connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor:
98.176.196.89
68.235.178.32
or, look for connections via TCP 443 from the following IP address:
208.113.35.58"
Is this vulnerability related to the SUNBURST cyberattack?
"No. It's important to note this new vulnerability is completely unrelated to the SUNBURST supply chain attack. Software vulnerabilities are quite common, range in severity levels, and are routinely resolved by software vendors as part of their ongoing maintenance release schedules."
For more information, you can read SolarWinds' security advisory on the situation.
