SolarWinds is a prominent software company specializing in IT management and monitoring solutions for networks and infrastructure.
The company gained fame following a significant supply chain attack in 2020, where hackers inserted malicious code into Orion updates, compromising the networks of over 30,000 clients.
GreyNoise Labs researchers recently discovered that hackers had been actively exploiting SolarWinds Serv-U vulnerability CVE-2024-28995 in the wild.
Hackers Exploiting SolarWinds Serv-U Vulnerability
In June 2024, SolarWinds’ “Serv-U” file transfer product was found to have a “critical path-traversal” vulnerability.
This flaw allowed attackers to read arbitrary files by manipulating the “InternalDir” and “InternalFile” parameters in ‘HTTP’ requests. A honeypot mimicking this vulnerability was deployed to study exploit attempts.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Over three months, the honeypot logged various attack patterns, starting with basic probes like accessing on “Linux” and ‘C:Windowswin.ini’ on “Windows.”
attempts emerged and target sensitive files like “unattended.xml” and “sysprep.xml,” which may contain credentials in plaintext.
Threat actors also sought “Windows registry hives” (SAM for password data) and “cloud service credentials” for ‘AWS,’ ‘Azure,’ and ‘Google Cloud.’
Besides this, the “Linux” systems were initially probed, and “Windows” became the primary target, according to the GreyNoise report.
The attacks evolved from simple vulnerability scans to intense exploitation attempts, with peaks of new payload types observed on specific dates (“July 7” and “July 29”).
While the URL encoding and character set differences (“Cyrillic”) in payloads, indicate the diverse attacker origins.
The frequency and variety of exploits were decreased over time, indicating reduced interest from threat actors or improved patching by the possible targets.
Moreover, helpful insights into the lifecycle and exploitation patterns of a “high-profile vulnerability” in a widely-used “enterprise software product” are provided by this real-world data.
This analysis examines file exfiltration attempts by attackers targeting a Serv-U server, categorizing requested files into groups like “scanners,” “Windows credentials,” “web configurations,” “databases,” and “miscellaneous interesting files.”
Here the web-related requests are focused on Windows systems configuration files for “PHP,” “Apache,” “Nginx,” and “IIS.”While the database-related attempts targeted “MySQL,” “PostgreSQL,” and “SQL Server configurations and data files.”
The analysis also noted “broken” requests with typos or incorrect paths and creative guesses like “password.txt” on the administrator’s desktop.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar