SolarWinds Zero-Day Vulnerability Under Active Attack

What has happened?

• The flaw affects Serv-U version 15.2.3 HF1 and prior. Successful exploitation of this vulnerability allows attackers to run arbitrary code on the infected system.
• Moreover, the vulnerability enables attackers to install malicious programs and view, change, or delete important data. However, the flaw is addressed in Serv-U version 15.2.3 hotfix (HF) 2.
• The firm is asking administrators to watch out for any potentially suspicious connections via SSH from the IP addresses 98[.]176[.]196[.]89 and 68[.]235[.]178[.]32 or 208[.]113[.]35[.]58 via TCP 443.
• SolarWinds stated in its recent advisory that the zero-day found is nowhere related to the SUNBURST supply chain attack. Moreover, it does not affect any other products, especially the Orion platform.

Recent supply chain attacks

• Recently, Kaseya was targeted by the REvil ransomware in a supply chain attack, targeting critical security vulnerabilities (CVE-2021-30116/19/20) in its Virtual System Administrator solution.
• A monumental supply chain attack on the aviation industry was linked to the Chinese nation-state actor APT41, in June.
• In May, Canada Post suffered a data breach incident that impacted 950,000 of its customers. The security breach occurred due to a malware-based supply chain attack.

Conclusion