The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.
The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges.
The company also warned that this vulnerability only affects customers who have enabled the SSH feature, which is commonly used to further protect connections to the FTP server.
Vulnerability used in ransomware attacks
According to a new report by the NCC Group, there’s been an uptick in Clop ransomware infections in the past couple of weeks, with most of them starting with the exploitation of CVE-2021-35211.
While the Clop gang is known to use vulnerabilities in their attacks, such as the Accellion zero-day attacks, the researchers state that TA505 more commonly uses phishing emails with malicious attachments to breach networks.
In the new attacks spotted by NCC, the threat actors exploit Serv-U to spawn a sub-process controlled by the attackers, thus enabling them to run commands on the target system.
This opens up the way for malware deployment, network reconnaissance, and lateral movement, essentially laying the ground for a ransomware attack.
A characteristic sign of this flaw being exploited is exception errors in the Serv-U logs, caused when the vulnerability is exploited.
The exception error shown in logs will be similar to the following string:
Another sign of exploitation is traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on the vulnerable system.
For persistence, the actors hijack a legitimate scheduled task that is used for regularly backing up registry hives and abuse the associated COM handler to load ‘FlawedGrace RAT.’
FlawedGrace is a tool that TA505 has been using since at least November 2017, and it remains a reliable part of the group’s arsenal.
NCC Group has posted the following handy checklist for system administrators who suspect compromise:
Check if your Serv-U version is vulnerable
Locate the Serv-U’s DebugSocketlog.txt
Search for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’ in this log file
Check for Event ID 4104 in the Windows Event logs surrounding the date/time of the exception and look for suspicious PowerShell commands
Check for the presence of a hijacked Scheduled Task named RegIdleBackup using the provided PowerShell command
In case of abuse: the CLSID in the COM handler should NOT be set to {CA767AA8-9157-4604-B64B-40747123D5F2}
If the task includes a different CLSID: check the content of the CLSID objects in the registry using the provided PowerShell command, returned Base64 encoded strings can be an indicator of compromise.
Despite the numerous alerts to apply the security update, many vulnerable Serv-U servers remain publicly accessible.
Most vulnerable Serv-U FTP instances are located in China, while the United States comes in second.
It’s been almost four months since SolarWinds released the security update for this vulnerability, but the percentage of potentially vulnerable Serv-U servers remains above 60%.
“In July, 5945 (~94%) of all Serv-U (S)FTP services identified on port 22 were potentially vulnerable. In October, three months after SolarWinds released their patch, the number of potentially vulnerable servers is still significant at 2784 (66.5%),” warn the researchers in their report.