![solarwinds exploit solarwinds exploit](https://thehustle.co/wp-content/uploads/2020/12/News-Brief_2020-12-18T003228.876Z.jpg)
On July 13, 2021, Microsoft published an article on CVE-2021-35211 being abused by a Chinese threat actor referred to as DEV-0322. The advisory mentions that Serv-U Managed File Transfer and Serv-U Secure FTP are affected by the vulnerability.
SOLARWINDS EXPLOIT SOFTWARE
SolarWinds published a security advisory detailing the vulnerability in the Serv-U software on July 9, 2021. The vulnerability being exploited is known as CVE-2021-35211. Modus Operandi Initial Accessĭuring multiple incident response investigations, NCC Group found that a vulnerable version of SolarWinds Serv-U server appeared to be the initial access used by TA505 to breach its victims’ IT infrastructure.
![solarwinds exploit solarwinds exploit](https://www.ecloudcontrol.com/wp-content/uploads/2021/01/ANALYSIS-OF-SOLARWINDS-HACK-2.png)
We are sharing this information as a call to action for organisations using SolarWinds Serv-U software and incident responders currently dealing with Clop ransomware. NCC Group strongly advises updating systems running SolarWinds Serv-U software to the most recent version (at minimum version 15.2.3 HF2) and checking whether exploitation has happened as detailed below. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Clop ransomware. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks.