Clop Ransomware Exploits SolarWinds Serv-U Flaw

The CVE-2021-35211 remote code execution vulnerability in Serv-U Managed File Transfer and Serv-U Secure FTP allows a remote threat actor to execute instructions on a susceptible server with elevated privileges.

After detecting “a single threat actor” leveraging it in assaults, SolarWinds issued an emergency security upgrade in July 2021.

Customers who have activated the SSH capability, which is widely used to further safeguard connections to the FTP server, are not affected by this issue, according to the business.

What Happened?

Clop ransomware attacks have increased in recent weeks, with the majority of them having as a starting point the exploitation of CVE-2021-35211.

The threat actors seem to be using Serv-U in the new assaults detected by NCC to launch a sub-process controlled by the attackers, allowing them to perform instructions on the target machine.

In this manner the malware will be deployed, network surveillance will be performed, and lateral movement will take place, thus setting the groundwork for a ransomware assault.

Exception errors in the Serv-U logs, which are created when the vulnerability is exploited, are a telltale clue that the weakness is being exploited.

Traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on

Read More: https://heimdalsecurity.com/blog/clop-ransomware-exploits-solarwinds-serv-u-flaw/