Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Clop Gang Exploiting SolarWinds Serv-U Flaw in Ransomware Attacks

Clop Gang Exploiting SolarWinds Serv-U Flaw in Ransomware Attacks

The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.

The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges.

SolarWinds released an emergency security update in July 2021 after discovering a “a single threat actor” exploiting it in attacks.

The company also warned that this vulnerability only affects customers who have enabled the SSH feature, which is commonly used to further protect connections to the FTP server.

Also Read: Unbelievable Facts About NRIC Check Digit Algorithm

Vulnerability used in ransomware attacks

According to a new report by the NCC Group, there’s been an uptick in Clop ransomware infections in the past couple of weeks, with most of them starting with the exploitation of CVE-2021-35211.

While the Clop gang is known to use vulnerabilities in their attacks, such as the Accellion zero-day attacks, the researchers state that TA505 more commonly uses phishing emails with malicious attachments to breach networks.

In the new attacks spotted by NCC, the threat actors exploit Serv-U to spawn a sub-process controlled by the attackers, thus enabling them to run commands on the target system.

This opens up the way for malware deployment, network reconnaissance, and lateral movement, essentially laying the ground for a ransomware attack.

A characteristic sign of this flaw being exploited is exception errors in the Serv-U logs, caused when the vulnerability is exploited.

The exception error shown in logs will be similar to the following string:

‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’

Another sign of exploitation is traces of PowerShell command execution, which is used to deploy a Cobalt Strike beacon on the vulnerable system.

For persistence, the actors hijack a legitimate scheduled task that is used for regularly backing up registry hives and abuse the associated COM handler to load ‘FlawedGrace RAT.’

FlawedGrace is a tool that TA505 has been using since at least November 2017, and it remains a reliable part of the group’s arsenal.

NCC Group has posted the following handy checklist for system administrators who suspect compromise:

  • Check if your Serv-U version is vulnerable
  • Locate the Serv-U’s DebugSocketlog.txt
  • Search for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’ in this log file
  • Check for Event ID 4104 in the Windows Event logs surrounding the date/time of the exception and look for suspicious PowerShell commands
  • Check for the presence of a hijacked Scheduled Task named RegIdleBackup using the provided PowerShell command
  • In case of abuse: the CLSID in the COM handler should NOT be set to {CA767AA8-9157-4604-B64B-40747123D5F2}
  • If the task includes a different CLSID: check the content of the CLSID objects in the registry using the provided PowerShell command, returned Base64 encoded strings can be an indicator of compromise.

Despite the numerous alerts to apply the security update, many vulnerable Serv-U servers remain publicly accessible.

Most vulnerable Serv-U FTP instances are located in China, while the United States comes in second.

Also Read: Top 5 Importance Of Website Maintenance Singapore

Countries with the most vulnerable Serv-U instances
Countries with the most vulnerable Serv-U instances
Source: NCC Group

It’s been almost four months since SolarWinds released the security update for this vulnerability, but the percentage of potentially vulnerable Serv-U servers remains above 60%.

“In July, 5945 (~94%) of all Serv-U (S)FTP services identified on port 22 were potentially vulnerable. In October, three months after SolarWinds released their patch, the number of potentially vulnerable servers is still significant at 2784 (66.5%),” warn the researchers in their report.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us