TA505 cybercrime group known for extortion attacks using Cl0p ransomware is abusing a SolarWinds Serv-U vulnerability to compromise corporate networks and ultimately plant ransomware on organizations’ machines.
Researchers at NCC Group’s global Cyber Incident Response Team said they noticed an increase in Cl0p ransomware attacks that can be tracked to TA505.
The vulnerability in question is CVE-2021-35211, which is the Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution flaw that allows a remote attacker to execute commands on a vulnerable server with elevated privileges.
Although SolarWinds released a patch for this vulnerability almost four months ago, the are still over 60% potentially vulnerable Serv-U servers.
“In July, 5945 (~94%) of all Serv-U (S)FTP services identified on port 22 were potentially vulnerable. In October, three months after SolarWinds released their patch, the number of potentially vulnerable servers is still significant at 2784 (66.5%),” the researchers said in their report.
In the recent TA505 attacks observed by NCC, the hackers exploited Serv-U to spawn an attacker-controlled sub-process, which allowed them to run commands on the target system.
“We observed that Base64 encoded PowerShell commands were logged shortly after the Serv-U exceptions indicating exploitation. The PowerShell commands ultimately led to deployment of a Cobalt Strike Beacon on the system running the vulnerable Serv-U software,” the researchers said.
In order to gain persistence, the hackers hijack a scheduled task named RegIdleBackup and abuse the COM handler associated with it to load the FlawedGrace RAT - the malware in TA505’s arsenal, which the group has been using since November 2017.
NCC has shared some tips for system administrators to help them determine if their network has been compromised by TA505:
-
Check if your Serv-U version is vulnerable
-
Locate the Serv-U’s DebugSocketlog.txt
-
Search for entries such as ‘EXCEPTION: C0000005;
-
CSUSSHSocket::ProcessReceive();’ in this log file
-
Check for Event ID 4104 in the Windows Event logs surrounding the date/time of the exception and look for suspicious PowerShell commands
-
Check for the presence of a hijacked Scheduled Task named RegIdleBackup using the provided PowerShell command
-
In case of abuse: the CLSID in the COM handler should NOT be set to {CA767AA8-9157-4604-B64B-40747123D5F2}
-
If the task includes a different CLSID: check the content of the CLSID objects in the registry using the provided PowerShell command, returned Base64 encoded strings can be an indicator of compromise.