Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
In an advisory released by Solarwinds on July 9th 2021 via their website, they were notified by Microsoft about a critical security vulnerability that affects their Serv-U Managed File Transfer and Serv-U Secure FTP products. This vulnerability (CVE-2021-35211) allows Remote Code Execution (RCE) in the products mentioned above. Solarwinds in this advisory has mentioned that this security vulnerability only affects the Serv-U Managed FileTransfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able products.
Microsoft noted that this vulnerability is being exploited by a single threat actor against a small set of targeted Solarwinds customers. Solarwinds has confirmed that this vulnerability exists in their Serv-U version 15.2.2 HF1 and all the previous versions. Solarwinds has developed and released a hotfix “Serv-U version 15.2.3 hotfix (HF)2” to resolve this vulnerability, however it is being reported that the Hotfix does not completely resolve the vulnerability or mitigate the exploit.
An investigation carried out by Microsoft Threat Intelligence Center and Microsoft Offensive Security teams had discovered a Remote Code Execution (RCE) vulnerability in the Solarwinds Serv-U Managed File Transfer and Serv-U Secure FTP products. Microsoft has provided a Proof of Concept (POC) of the exploit. If the threat actor is successful in exploiting this vulnerability, they may be able to gain privileged access to the machine hosting the affected Serv-U products.
Solarwinds suggests performing following steps to determine if your environment has been compromised.
1. Check if SSH enabled for your Serv-U Installation2. This attack is a Return-Oriented Programming (ROP) attack. When exploited successfully, the vulnerability causes the Serv-U product to throw an exception and then intercepts handling code to run commands.However, exception itself is not necessarily an indicator of attack.
Please collect the “DebugSocketlog.txt” log file.In the log file “DebugSocketlog.txt” you may see an exception such as :07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30;puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156;uchPaddingLength = 5
Exceptions may be thrown for other reasons so it is recommended to collect the logs for correlation with other security logs to assist with determining if your Solarwinds Serv-U instance has been compromised.
Following source IP addresses and connection methods have been reported as potential indicator of attack bythreat actor.98.176.196.89 (port 22 – SSH)68.235.178.32 (port 22 – SSH)208.113.35.58 ( TCP port 443 – HTTPS)
1. Apply the latest hotfix “Serv-U version 15.2.3 hotfix (HF) 2” released by Solarwinds2. Disable SSH access to the machines with Serv-U products.3. Block the IP addresses mentioned in the IOC’s on all perimeter firewalls.
• Stephen Jones, Senior Director Cybersecurity• Ayyappa Vyamasani, Cybersecurity Analyst• Susan Verdin, Cybersecurity Analyst• Maximo Bredfeldt, Virtual CISO (vCISO)
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.