14 DAY TRIAL // After being targeted by a massive supply chain attack in late 2020, SolarWinds issued new fixes to remedy a remote code execution vulnerability in the Serv-U controlled file transfer service, according to The Hacker News.
The updates address Serv-U Managed File Transfer and Serv-U Secure FTP protocols and are being made available after Microsoft identified the vulnerability. It is not yet known who the threat actor behind the exploit is, nor how the attack was carried out, although the vulnerabilities were being used in the wild for some time.
Successful exploitation of the weakness (CVE-2021-35211) can enable an attacker to remove, read or alter sensitive data, and install malicious programs on the afflicted system. Both SSH connections from IP addresses 98.176.196.89 and 68.235.178.32 and TCP connections on port 443 to IP address 208.113.35.58 are factors that could indicate compromise. To prevent a breach, affected users need to disable SSH access on the Serv-U installation.
The latest exploit activity does not appear to be related to last year's breach
SolarWinds advisory reads "Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,"
The U.S. government believes that hackers are linked to Russia's Foreign Intelligence Service, known as SVR, According to reports, SVR has carried out malware attacks against political think tanks, governments, and other organizations in nations such as United States, South Korea, Uzbekistan, Germany, among others. In 2014, the State Department of the United States and the White House were among the targets.
It is estimated that by gaining unauthorized access to SolarWinds' Orion network management product about 18,000 customers were affected. So far, it is known that around 110 clients were also targeted by a follow-on attack that exfiltrated confidential data via the Sunburst malware. SolarWinds claimed the current exploit activity does not appear to be connected.