Hackers Actively Exploiting Dangerous SolarWinds Serv-U Flaw

SolarWinds’ Serv-U file-transfer product was found to have a path-traversal vulnerability, which allows attackers to access files outside of the intended directory. 

Despite the release of a patch, the honeypot created to simulate the vulnerability continues to receive traffic. The exploit works by sending a request with specific arguments that trigger the vulnerability. 

The software verifies the request for path-traversal characters but then adds them, allowing attackers to access files in unexpected locations. By analyzing the slashes in the request, it’s possible to distinguish payloads intended for Windows or Linux.

The provided data contains URL-encoded HTTP requests targeting a system’s internal directory. While most requests are straightforward, some exhibit unexpected characters like caret (^) and э. 

These characters are likely remnants of incomplete or incorrect URL encoding attempts by the attackers. It’s possible that the attackers intended to encode these characters but made errors in their implementation, leading to these anomalies in the decoded URLs.

Further analysis of these instances could provide insights into the attackers’ techniques and potential vulnerabilities in the system’s URL handling mechanisms, while the analysis reveals that the Cyrillic character “э” at the end of the request is likely a copy/paste error from the attacker’s configuration. 

Additionally, the caret symbol “^” in some requests is due to the use of the Windows command line, where it acts as an escape character. Both of these elements were removed from the clean dataset to ensure accurate analysis.

By normalizing and analyzing a dataset of broken HTTP requests, several key patterns emerged. The most common requests targeted specific system directories, indicating potential vulnerabilities. Analyzing the first occurrences of each request revealed a timeline of attack attempts. 

The grouping requests by file purpose highlighted common attack vectors, such as configuration files and executable binaries, which provide valuable information for security teams to identify and mitigate potential threats.

The GreyNoise Labs analyzed honeypot traffic to see what files attackers requested most frequently. Vulnerability scanners or people testing proofs of concept caused the most requests, but a nontrivial amount of attackers tried to exploit systems for real. 

They targeted login credentials, including those stored in registry hives, cloud credentials, and history files, by observing waves of new requests with new tools and then periods of no activity, suggesting attackers update their tools periodically.

The attacker scanned for credential files on a system by looking for common locations for Windows credentials (e.g., registry hives, cloud service configs) and Linux credentials.

Interestingly, they also checked for a non-existent file (/etc/id.so.preload), which might indicate a lack of knowledge about Linux systems, and searched for administrator desktop files named “password” or “logins,” which suggests a low-sophistication attempt. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here