SolarWinds Serv-U path traversal flaw actively exploited in attacks

"The most frequently targeted files seen by Greynoise are:

  • \etc/passwd (contains user account data on Linux)
  • /ProgramData/RhinoSoft/Serv-U/Serv-U-StartupLog.txt (contains startup logs info for the Serv-U FTP server)
  • /windows/win.ini (initialization file containing Windows configuration settings)
Attackers target those files to escalate their privileges or explore secondary opportunities in the breached network.

GreyNoise reports cases where the attackers appear to copy-paste exploits without testing, resulting in failed attempts.

In other exploitation attempts from China, the attackers showcase persistence, adaptability, and better understanding.

GreyNoise says they experimented with different payloads and formats for four hours and adjusted their approach based on server responses.

With confirmed attacks underway, system administrators must apply the available fixes as soon as possible."

Source: https://www.bleepingcomputer.com/ne...traversal-flaw-actively-exploited-in-attacks/
 
Solarwinds is pretty necessary to manage large VMWare deployments.

Until AMD, and all the other big tech firms that were hacked in the past month say otherwise I’m convinced Solarwinds/VMWare is how they got in.
 
