Embattled software firm, SolarWinds has released another hotfix to patch remote code execution vulnerabilities in a couple of its Serv-U products after being informed of their existence, and abuse by cybersecurity teams at Microsoft. This is yet another attack in a series of high-profile attacks that have beleaguered the company since 2020.
Microsoft discovered the exploits and privately reported them to SolarWinds recently. SolarWinds issued a statement that was published Friday, July 9th in which it claims this new attack is completely unrelated to the massive supply chain attack that was discovered in December. SolarWinds, further stated “…[they] do not currently have an estimate of how many customers may be directly affected by the vulnerability” and “SolarWinds is unaware of the identity of the potentially affected customers.”
The affected software in question is SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP platform. This exploit also affects the Serv-U Gateway, a component of those two products. The exploit allows an attacker to remotely execute malicious code on vulnerable systems.
The danger of an attack like this is that there are potentially thousands of customers who are already using the Serv-U platform and have likely had remote code injected into their systems. The rate of infection earlier this year with the Microsoft Exchange hack was astonishing as attackers found ways to automatically scan the Internet and then inject compromised servers, plant a remote tool, and then break into the systems later on to inflict more damage. Analysts are concerned about the same kind of scenario with this attack as well. What makes the exploit particularly dangerous is that an attacker can gain privileged access to exploited machines hosting Serve-U products and could then install programs; view, change, or delete data; run programs on the affect system and so on. Microsoft notes that the vulnerability exists in the latest Serve-U version 15.2.3 HF1, released on May 5, as well as all prior versions. SolarWinds issued a hotfix to mitigate the attacks while the company works on a permanent solution. The hotfix is available here.
The US federal government attributed last year’s monumental supply chain attack to hackers working for Russia’s Foreign Intelligence Service (abbreviated as SVR), which for more than a decade has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries including Germany, Uzbekistan, South Korea and the US. Hackers who used that access to push a malicious software update last year to 18,000 customers of SolarWinds’ Orion network management product have caused massive and widespread devastation. Last year, zero-day vulnerabilities in SolarWinds’ Orion product came under exploit by a different set of state actors, that have been tied to China’s CCP. At least one US government agency was targeted in this operation.
As of the time of this writing, Microsoft noted that it had observed an advanced cybercriminal group operating out of China who was using the zero-day remote code execution to attack SolarWinds software. Engineers at Microsoft have observed the hacking group targeting organizations in the US military research and development as well as software sectors.
The SolarWinds saga will continue as the fallout from this massive and widespread assault is only just getting started.