Weekly threat roundup: SolarWinds, Microsoft, SonicWall

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Hackers targeting SolarWinds’ Serv-U suite

SolarWinds has warned that cyber criminals are targeting a vulnerability in its Serv-U Managed File Transfer (MFT), Serv-U Secure File Transfer Protocol (FTP), and Serv-U Gateway products, following an advisory from Microsoft.

The firm has released a hotfix to address CVE-2021-35211, which hackers have exploited to run arbitrary code with privileges on targeted systems. The flaw exists in the latest Serv-U version 15.2.3 HF1, released on 5 May 2021, and all prior versions, with customers urged to upgrade immediately to version 15.3.2 HF2.

No other SolarWinds product is affected by this vulnerability, with Microsoft attributing exploitation attempts to DEV-0322, a group based in China, which is attempting to infiltrate US defence and software companies.

Microsoft has a another go at fixing PrintNightmare

The Windows developer has issued 117 fixes as part of its latest wave of Patch Tuesday updates, including a second attempt to patch CVE-2021-34527 - also referred to as PrintNightmare.

This second attempt comes after initial efforts fell short, and a security researcher demonstrated that exploitation of the Print Spooler component was still possible so long as the targeted device had enabled the feature ‘point and print’.

This latest wave of updates also includes patches for three additional zero-day bugs that have been exploited, among nine zero-day flaws overall. Of the 117, 13 are rated as critical, while 103 are rated as important. 

Chained Schneider Electric bugs could lead to remote hacking

Researchers have found a vulnerability in Schneider Electric process logic controllers (PLCs) that could allow hackers to gain complete control of vulnerable systems by bypassing security controls.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

Dubbed ModiPwn and tracked as CVE-2021-22779, Armis researchers found that this flaw, embedded in Modicon M580 and M340 controllers, could allow remote attackers to run code natively on the PLCs, modifying their functionality. 

Schneider Electric had implemented layers of security in its controllers to prevent abuse of undocumented Modbus commands. The flaw can be exploited, however, to bypass this implementation. Hackers can exploit it to read the password hash from the PLC’s memory and use it to skip authentication. They could then upload a new project file that doesn’t have a password, which downgrades the device’s security, removing application password functionality and allowing a chained attack.

The company is working on a patch to address ModiPwn, and has published a set of mitigations that users can implement in the meantime.

Kaseya patches VSA flaws exploited to conduct ransomware attack

Software firm Kaseya has issued patches for three vulnerabilities that hackers abused to execute a devasting ransomware attack in early July.

An emergency update for the cloud-based IT management and remote monitoring platform VSA addressed three bugs tracked as CVE-2021-30116, CVE-2021-30119, and CVE-3031-30120. These concern credentials leakage and a business logic flaw, a cross-site scripting (XSS) vulnerability, and a two-factor authentication (2FA) bypass, respectively.

They’ve been patched alongside four other flaws that were identified by the security firm DIVD in April this year, with the two companies working together to issue fixes, only for REvil operators to beat them to the punch and launch their attack.

The attack saw hackers abuse the flaws to target VSA and launch ransomware attacks against the company, as well as a handful of on-premise customers. Because VSA is used by a number of Managed Service Providers (MSPs), the compromised internet-facing VSA servers also served as an entry point to target their customers, with 1,500 businesses thought to have been affected overall.

SonicWall warns users to turn off EOL hardware ahead of ‘imminent ransomware campaign’

Networking device manufacturer SonicWall has warned its customers about an imminent ransomware campaign using stolen credentials targeting its end-of-life devices and units running outdated firmware.

There’s an imminent threat against unpatched Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) devices, the company confirmed in an email to customers, especially those still using end-of-life (EOL) 8.x firmware.

Customers using outdated SRA hardware should also disconnect these devices immediately and reset passwords, including SRA 4600/1600, SRA 4200/1200 and SSL-VPN 200/2000/400. SMA 400/200, meanwhile, is still supported in a limited retirement mode, with customers urged to update to the latest firmware versions.

Should customers not mitigate the risks or update their systems immediately, it’s extremely likely their devices will be targeted in the “imminent” ransomware campaign, of which specific details haven’t been provided.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021