A British document management system (DMS) solutions firm, Stor-a-File, had been reported to suffer a ransomware attack that exploited its unpatched instance of Serv-U File Transfer Protocol (FTP) software from SolarWinds.
According to a Stor-a-File’s representative, their company has refused to pay the ransom demands of the ransomware threat actors. Therefore, some of their stolen data may have been leaked on Tor sites on the dark web.
One of Stor-a-File’s clients is a medical company with a customer who has reached out to the security experts regarding a related concern. The said medical company have been utilising Stor-a-File’s DMS solutions with their daily operations and was also affected by the ransomware attack.
The DMS solutions firm has stated that the authorities have been informed immediately as soon as they got aware of the attack. Their clients will also be informed in cases of any compromised data. Nonetheless, some affected individuals complained that it took long for the firm to notify people about the ransomware attack.
But Stor-a-File said that the issue covers only a small number of confidential records held by their services electronically. Those clients who may have their data compromised were notified immediately. At the same time, the rest of the client organisations who have their records held in physical boxes within warehouses are all unaffected.
The ransomware attack against Stor-a-File was from an outdated version of the Serv-U FTP software by SolarWinds.
Security researchers have yet to discover the exact version of Serv-U FTP that the DMS solutions firm was operating on, but Microsoft has released a statement in July about finding a critical vulnerability from version 15.2.3 HF1 and earlier ones. Furthermore, Stor-a-File clarified to all affected parties that they have now gotten rid of all third-party software from their security system to avoid future similar unfortunate incidents.
The vulnerability found in the SolarWinds Serv-U FTP software was tracked as CVE-2021-35211. This vulnerability enables threat actors to perform remote code execution via a Return Oriented Programming attack described by Microsoft.
Security researchers also noted that the first indicator of the vulnerability’s exploitation is the malicious entries of log files named DebugSocketlog.txt found within the Serv-U software’s installation folder. Upon observation, the log file is found to contain exceptions when the vulnerability is being exploited.
