Clop, a ransomware gang that is also known as TA505 and FIN11, is using a SolarWinds Serv-U vulnerability to infiltrate business networks and encrypt devices, according to a new report by the NCC Group.
The CVE-2021-35211 remote code execution vulnerability in Serv-U Managed File Transfer and Serv-U Secure FTP provides distant threat actors to run instructions on a susceptible server with privileged access.
After detecting “a single threat actor” leveraging it in cyberattacks, SolarWinds issued an emergency security upgrade in July 2021. According to the business, customers who have activated the SSH capability, which is widely used to further safeguard connections to the FTP server, are not affected by this issue.
As per a new analysis from the NCC Group, Clop ransomware outbreaks have increased recently, with most of them beginning with the exploitation of CVE-2021-35211.
While the Clop gang is notorious for exploiting vulnerabilities, such as the Accellion zero-day assaults, the researchers claim that TA505 prefers to enter networks via phishing emails with malware attachments.
The threat actors use Serv-U in the new cyberattacks detected by NCC to launch a sub-process controlled by the attackers, allowing them to perform instructions on the victim system.
This allows the malware to be deployed, network reconnaissance to be performed, and lateral movement to occur, thus setting the groundwork for a ransomware operation.
Exception errors in the Serv-U logs, created when the vulnerability is exploited, clearly indicate that the weakness is being used.
The following string will appear in the logs as an exception error:
‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’
Despite several reminders to install the security update, many insecure Serv-U servers are still available to the public. China has the most susceptible Serv-U FTP instances, with the United States coming in second.
Although SolarWinds provided a security fix for this vulnerability approximately four months ago, the percentage of possibly susceptible Serv-U servers is still above 60%.
In a report, researchers warn that the number of possibly susceptible servers is still substantial at 2,784 (66.5 percent) three months after SolarWinds delivered their fix.