Listen to this Post
Introduction:
A new wave of attacks is leveraging a critical vulnerability in SolarWinds Web Help Desk (WHD) software, CVE-2021-35215, for initial access and subsequent network compromise. Building on the infamous SolarWinds SUNBURST campaign, this activity underscores a persistent threat landscape where attackers exploit IT management software to establish footholds, move laterally, and deploy payloads. This analysis, based on the Microsoft Defender Research Team’s ongoing investigation, provides actionable intelligence and hardening steps to defend your environment.
Learning Objectives:
- Understand the mechanics of the SolarWinds WHD SSRF vulnerability (CVE-2021-35215) and its role in the attack chain.
- Implement immediate detection and hunting queries for indicators of compromise (IOCs) associated with this campaign.
- Apply critical security hardening and mitigation steps to vulnerable SolarWinds WHD instances and analogous systems.
You Should Know:
- Decoding the Attack Chain: From SSRF to Full Compromise
The exploitation begins with CVE-2021-35215, a Server-Side Request Forgery (SSRF) vulnerability in SolarWinds Web Help Desk. Attackers send crafted HTTP requests to the WHD server, tricking it into making unauthorized requests to internal resources, including metadata services (like AWS IMDS) or other sensitive endpoints. This allows them to steal credentials, access tokens, and discover the network landscape.
Step-by-step guide explaining what this does and how to use it:
1. Vulnerability Trigger: The attacker targets the `/whd/` endpoint, specifically the parameter vulnerable to SSRF.
2. Internal Reconnaissance: They force the WHD server to query cloud instance metadata services (e.g., `http://169.254.169.254/latest/meta-data/` on AWS) to harvest IAM roles and temporary credentials.
3. Lateral Movement: Using stolen credentials, the attacker pivots to other systems, often deploying web shells or commodity malware like Cobalt Strike Beacons for persistent access.
2. Immediate Threat Hunting with Advanced KQL Queries
Proactive hunting is essential. Use these Kusto Query Language (KQL) queries in Microsoft Sentinel or Advanced Hunting to search for related activity.
Step-by-step guide explaining what this does and how to use it:
1. Hunt for WHD Process Anomalies: Look for unusual child processes spawned from the WHD Java process (java.exe or javaw.exe), which is not typical behavior.
DeviceProcessEvents | where InitiatingProcessFileName =~ "java.exe" or InitiatingProcessFileName =~ "javaw.exe" | where InitiatingProcessCommandLine contains "whd" | where ProcessCommandLine !contains "whd" // Filters out expected WHD commands | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine
2. Detect Outbound Requests to Metadata IPs: Hunt for outbound requests from your servers to well-known metadata service IPs.
DeviceNetworkEvents | where RemoteIP startswith "169.254.169.254" or RemoteIP startswith "fd00:ec2::254" | where ActionType == "ConnectionSuccess" | project Timestamp, DeviceName, RemoteIP, RemotePort
- Critical Mitigation: Patching and Isolating Your WHD Instance
The primary mitigation is applying the official SolarWinds patch. If immediate patching isn’t possible, isolation is critical.
Step-by-step guide explaining what this does and how to use it:
1. Apply the Patch: Immediately upgrade SolarWinds Web Help Desk to version 12.7.8 or later, which contains the fix for CVE-2021-35215. Download it from the official SolarWinds portal.
2. Network Isolation (Temporary Mitigation): Place the WHD server in a dedicated, restricted VLAN. Use firewall rules (Windows Firewall or network appliance) to block all outbound internet traffic from the WHD server and restrict inbound access to only necessary administration IPs.
Windows Firewall Command (Admin PowerShell):
New-NetFirewallRule -DisplayName "Block-WHD-Outbound" -Direction Outbound -Action Block -Program "C:\Path\To\Tomcat\bin\java.exe" -Enabled True
3. Block Metadata Service Access: Configure host-based firewall rules to block the WHD server from reaching the metadata endpoint.
Linux (iptables):
sudo iptables -A OUTPUT -d 169.254.169.254 -j DROP
Windows (Firewall):
New-NetFirewallRule -DisplayName "Block-AWS-Metadata" -Direction Outbound -RemoteAddress 169.254.169.254 -Action Block -Enabled True
4. Forensic Triage: Identifying Compromise and IOCs
Check your systems for known indicators from this campaign.
Step-by-step guide explaining what this does and how to use it:
1. Check for Dropped Files: Search for known malicious filenames and directories associated with web shells.
Linux/Mac:
find / -name ".jsp" -o -name ".war" -o -name ".aspx" 2>/dev/null | xargs ls -la
Windows (PowerShell):
Get-ChildItem -Path C:\ -Include .jsp, .war, .aspx -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, CreationTime, Length
2. Review Web Server Logs: Examine `access.log` and `whd.log` files for suspicious POST requests to uncommon URIs, especially those containing command execution patterns (cmd.exe, /bin/bash, powershell).
5. Hardening Your Security Posture Beyond the Patch
Patching one vulnerability is not enough. Implement defense-in-depth strategies.
Step-by-step guide explaining what this does and how to use it:
1. Implement Least-Privilege Access: Ensure the service account running SolarWinds WHD has the minimum permissions required. Never run it as root, Administrator, or SYSTEM.
2. Enable Enhanced Logging: Ensure audit logging is enabled for the WHD application and the underlying OS (Windows Event Logs or Linux Auditd). Centralize these logs in a SIEM.
3. API Security Hardening: Since WHD exposes APIs, implement API gateways, rate limiting, and strict authentication for any API endpoints. Treat management software APIs as high-value attack surfaces.
What Undercode Say:
- Key Takeaway 1: The SolarWinds ecosystem remains a high-value target. The shift from the Orion platform to Web Help Desk demonstrates attacker adaptability and their deep knowledge of network management software, which often has privileged access and is inadequately monitored.
- Key Takeaway 2: SSRF vulnerabilities are a gateway to cloud credential theft. In modern hybrid environments, an SSRF flaw in an on-premises server can be the perfect launchpad to compromise an entire cloud tenant via metadata services, blurring the lines of perimeter defense.
This incident is a stark reminder that supply chain security must extend beyond the initial vendor software to encompass all ancillary IT management products an organization uses. The pattern of exploiting trusted software for initial access is not diminishing; it’s evolving. Organizations must assume their management tools are in the crosshairs and implement rigorous segmentation, credential protection, and anomalous activity monitoring specifically around these systems.
Prediction:
We will see a continued surge in targeted attacks against IT operational technology (IT-OT) and DevOps tooling—including help desks, monitoring systems, backup software, and CI/CD pipelines. Attackers are studying the “operational DNA” of enterprises. Future campaigns will likely leverage AI to automate the discovery of such software and tailor exploits, making defenses based on static IOC lists increasingly obsolete. The focus will shift to behavioral detection of anomalous processes spawned from management platforms and zero-trust models that severely restrict their network communication.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ivanmacalintal Analysis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
