back to article SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild

SolarWinds has issued an emergency patch after a critical security hole in its Serv-U Managed File Transfer and Serv-U Secure FTP was spotted being exploited in the wild. The vulnerability, discovered by Microsoft's Threat Intelligence Center (MSTIC) and Offensive Security Research teams, can be exploited by an attacker to …

  1. Claptrap314 Silver badge
    Paris Hilton

    A modest proposal

    Maybe, and just hear me out, but maybe it would be a good idea to geoblock access to your admin panels to any nation that your admins aren't actually living in or likely to travel to?

    1. JWLong

      Re: A modest proposal

      Sir, that would make to much sense. So it just ain' t going to happen.

      1. FILE_ID.DIZ
        Boffin

        Re: A modest proposal

        It's not that simple.

        In the first (original?) SolarWinds data exfiltration service, the crims were using Azure compute nodes out of the US (or at least Azure IP addresses based in a US region), presumably to get past any obvious GeoIP filtering and keep suspicion down for as long as possible from a suspicious analyst.

        These days its mandatory to not just GeoIP filter, but block all of the IP space that GCP, AWS and Azure use these days. Of course, whitelisting trusted sources might be simpler.

        Quick Reference:

        Azure

        AWS

        GCP

        PS: In this case, at least the ".1" of each of the /24's provided, one was based in the US and two were from Canada (at least based on inference of their rDNS record), so probably not places that'd be likely excluded from a Geo-Fence... at least in the SSH setups that I have.

        I also block based on the client connection string, like "SSH-2.0-libssh" and "SSH-2.0-Go". If only the idiots would be smart enough to use OpenSSH or PuTTY, or WinSCP in their string, they could easily slip past that filter.

        1. Claptrap314 Silver badge

          Re: A modest proposal

          I know, but it's a start. I'll keep your additional points in mind. I'm still quite junior when it comes to real ops knowledge.

          1. FILE_ID.DIZ
            Boffin

            Re: A modest proposal

            With few exceptions, I have found that inbound blocking those IPs from our datacenter networks hasn't had much impact, which makes a lot of sense (at least to me).

            Most of the "cloud" is spoken to first, then it responds. So uninitiated traffic from cloud provider networks to our datacenter networks isn't generally expected, except where other vendors/partners/customers/whathaveyou are also hosted by one of those providers.

            And the reason why I block cloud providers is that I've hosted more than a few honeypots over time and there is just so much dirty looking traffic coming from presumably compromised machines running in the AWS, Azure and GCP space.

  2. Pascal Monett Silver badge
    Trollface

    a patch it wrote this time

    It is available on the SolarWinds FTP server, for which the access password security has been vastly reinforced.

    It is now S0larWinds1234.

  3. Anonymous Coward
    Anonymous Coward

    Admins should also be on the lookout for traffic from 98.176.196[.]89 and 68.235.178[.]32 IP addresses and connections via TCP port 443 from 208.113.35[.]58.

    Stupid question - why is the final dot in [ ] ?

    1. FILE_ID.DIZ
      Thumb Up

      To prevent the browser or whatever app you're reading The Register with from creating an automatic hyperlink, when one was explicitly not asked for.

  4. Anonymous Coward
    Anonymous Coward

    @file_id.diz

    Thank you

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like