Executive Summary

The exploitation of SolarWinds Web Help Desk (WHD) for unauthenticated remote code execution (RCE) in multi-stage attacks represents a critical threat to organizations with internet-exposed WHD servers. Multiple vulnerabilities, including CVE-2024-23476, CVE-2024-23477, and related deserialization and authentication bypass flaws, have been weaponized by threat actors to gain initial access, establish persistence, and escalate privileges within enterprise environments. These attacks have resulted in full domain compromise in several documented incidents. The technical sophistication of the exploitation chain, combined with the widespread deployment of SolarWinds Web Help Desk, underscores the urgent need for immediate mitigation and comprehensive incident response.

Threat Actor Profile

The threat actors exploiting SolarWinds Web Help Desk vulnerabilities exhibit advanced operational capabilities, leveraging both automated scanning and manual post-exploitation techniques. While no single advanced persistent threat (APT) group has been definitively attributed, the tactics, techniques, and procedures (TTPs) observed align with those of financially motivated cybercriminals and state-sponsored actors. These adversaries demonstrate proficiency in living-off-the-land (LOTL) methods, abuse of legitimate remote management tools, and stealthy lateral movement. The use of multi-stage payloads, credential harvesting, and domain replication attacks suggests a high level of technical acumen and a focus on maximizing impact within compromised environments.

Technical Analysis of Malware/TTPs

The exploitation chain begins with the identification of internet-exposed SolarWinds Web Help Desk instances, typically through mass scanning for vulnerable endpoints such as /helpdesk/WebObjects/Helpdesk.woa/wo/* and the AjaxProxy component. Attackers exploit deserialization vulnerabilities (notably CVE-2024-23476) to achieve unauthenticated RCE. Malicious payloads are delivered via crafted HTTP requests, bypassing input validation and whitelisting mechanisms.

Upon successful exploitation, the initial payload often spawns a PowerShell process, which downloads and executes secondary malware using the Background Intelligent Transfer Service (BITS). Persistence is established through the installation of legitimate remote monitoring and management (RMM) tools, such as Zoho ManageEngine, and the creation of scheduled tasks that launch covert virtual machines using QEMU. Lateral movement is facilitated by establishing reverse SSH and RDP tunnels, enabling remote access to internal systems.

Credential harvesting is achieved through DLL sideloading attacks, where legitimate binaries like wab.exe are used to load malicious sspicli.dll files, granting access to LSASS memory and stored credentials. In advanced scenarios, attackers perform DCSync attacks, replicating Active Directory data to achieve full domain compromise. The use of default static credentials (e.g., "client"/"client") in some WHD installations further exacerbates the risk of privilege escalation.

Key indicators of compromise (IOCs) include anomalous log entries referencing unauthorized logins, errors in the org.jabsorb.JSONRPCBridge component, and the presence of suspicious artifacts such as ToolsIQ.exe, scheduled QEMU tasks, and unauthorized RMM software. Network indicators include outbound LDAP/JNDI lookups and SSH traffic on non-standard ports.

Exploitation in the Wild

Active exploitation of SolarWinds Web Help Desk vulnerabilities has been confirmed by multiple security vendors, including Microsoft, Horizon3.ai, and Huntress. Organizations across various sectors have reported incidents involving initial access via WHD, followed by rapid escalation to domain-wide compromise. Attackers have demonstrated the ability to bypass existing security controls, evade detection through the use of legitimate tools, and maintain persistence over extended periods.

The exploitation activity is characterized by a high degree of automation in the initial scanning and exploitation phases, followed by manual intervention for post-exploitation tasks such as credential harvesting, lateral movement, and data exfiltration. The observed TTPs map to several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1219 (Remote Access Software), T1003.006 (DCSync), and T1574.002 (DLL Side-Loading).

Victimology and Targeting

Victims of these attacks span a broad range of industries, including government, healthcare, education, and critical infrastructure. The common denominator among targeted organizations is the presence of internet-exposed SolarWinds Web Help Desk servers running vulnerable versions. Attackers prioritize targets with weak credential hygiene, inadequate network segmentation, and insufficient monitoring of administrative interfaces.

The exploitation is opportunistic in nature, with threat actors leveraging automated tools to identify and compromise as many vulnerable instances as possible. However, in several cases, post-exploitation activity has demonstrated a targeted approach, with attackers conducting reconnaissance, privilege escalation, and data exfiltration tailored to the specific environment.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by these vulnerabilities. Organizations must upgrade to SolarWinds Web Help Desk version 12.8.8 Hotfix 2 or later, as these releases address the critical deserialization and authentication bypass flaws. Public access to WHD administrative interfaces and endpoints should be restricted through network segmentation and firewall rules.

Credential hygiene is paramount; all credentials associated with WHD, including service and administrative accounts, must be rotated. Unauthorized remote management tools and suspicious scheduled tasks should be identified and removed. Enhanced logging and monitoring of the AjaxProxy component and related endpoints are essential for early detection of exploitation attempts.

Security teams should proactively hunt for indicators of compromise, including anomalous log entries, the presence of unauthorized binaries, and unusual network traffic patterns. The use of endpoint detection and response (EDR) solutions, combined with threat intelligence feeds, can aid in the identification and remediation of malicious activity. Organizations are encouraged to leverage detection rules and queries provided by vendors such as Microsoft and Horizon3.ai for comprehensive threat hunting.

References

• Microsoft Security Blog: Analysis of active exploitation of SolarWinds Web Help Desk

• Horizon3.ai: CVE-2024-23476 Technical Writeup & PoC

• CISA Known Exploited Vulnerabilities Catalog

• NVD: CVE-2024-23476

• SolarWinds Security Advisory

• Huntress Blog: Active Exploitation of SolarWinds Web Help Desk

• Rapid7 Blog: Multiple Critical SolarWinds Web Help Desk Vulnerabilities

• eSentire Advisory

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, we are happy to answer questions at ops@rescana.com.