A New SolarWinds Backdoor Being Exploited Right Now - Beware

 SolarWinds, the company infamous for the backdoor maliciously added to its Orion suite in a supply-chain attack by Russia, has been caught with another critical security blunder. This time, a hardcoded login credential in its Web Help Desk (WHD) product has been exploited by criminals. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the oversight to its Known Exploited Vulnerabilities (KEV) Catalog.

This vulnerability, tracked as CVE-2024-28987, allows remote, unauthenticated attackers to log into vulnerable instances using the baked-in credentials. This grants them access to internal functionality and the ability to modify sensitive data. The severity of this vulnerability is rated 9.1 on the CVSS scale.

While the exact scope of the exploitation remains unknown, SolarWinds did rectify the error in late August. A SolarWinds spokesperson told The Register that they have seen no threat activity against patched instances and encouraged all customers to update to the latest version of WHD (12.8.3 HF2) or install the necessary patch for older versions (12.8.3 HF1). CISA, however, declined to provide further details about the bug or its exploitation beyond the information provided in the KEV.

According to Zach Hanley, a vulnerability researcher at Horizon3.ai who discovered and disclosed the flaw to SolarWinds, approximately 827 instances of WHD remained publicly exposed to the internet as of late September. Hanley noted that "organizations typically revealed sensitive process information for IT procedures such as user onboarding, password resets, and accessing shared resources," while also recognizing that the vulnerability, while serious, does not allow complete compromise of the WHD server itself. However, he emphasized the "high" risk of lateral movement through stolen credentials.

This marks the second actively exploited bug in the WHD product within two months. On August 13, SolarWinds released a hotfix for a critical deserialization remote code execution vulnerability in WHD, rated 9.8 on the CVSS scale, and tracked as CVE-2024-28986. This flaw was also added to CISA's Known Exploited Vulnerabilities catalog.

WHD enjoys a high level of popularity in the education sector and among state and local governments. The presence of these exploited vulnerabilities highlights the need for robust security measures and vigilant patching practices across all sectors, especially those dealing with sensitive information.

It is imperative for organizations to take immediate action to mitigate the risks associated with these vulnerabilities. Updating to the latest version of WHD and manually installing patches for older versions should be prioritized. Organizations should also review their security practices and ensure that they have comprehensive security measures in place to detect and respond to potential attacks. The exploitation of these vulnerabilities underscores the critical importance of prompt security updates and proactive security measures. Organizations must remain vigilant in their efforts to protect their data and systems from cyber threats.