"The research team at Huntress - which protects multiple SolarWinds customers through its channel - found that having broken into their victim environments, the attackers took control of WMD's service wrapper to spawn the underlying Java application, which enabled them to install a payload, which was in fact a Zoho ManageEngine remote monitoring and management (RMM) agent. This done, the threat actor used the RMM agent to execute several Active Directory discovery commands to enumerate the environment."
"Shortly after this, they opened a Zoho Assist remote session which they used to install the open source digital forensics and incident response (DFIR) tool Velociraptor. "While Velociraptor is designed to help defenders with endpoint monitoring and artifact collection, its capabilities, such as remote command execution, file retrieval, and process execution via VQL queries, make it equally effective as a C2 [Command and Control] framework when pointed at attacker-controlled infrastructure," said Huntress."
A data deserialization vulnerability in SolarWinds Web Help Desk, tracked as CVE-2025-40551, enables remote code execution. The flaw was flagged on 28 January and added to CISA's Known Exploited Vulnerabilities list, requiring immediate remediation by US government agencies. Attackers exploited the vulnerability to take control of the WHD service wrapper, spawn the Java application, and install a Zoho ManageEngine RMM agent. The RMM agent was used to run Active Directory discovery, open Zoho Assist remote sessions, and install Velociraptor. Outdated Velociraptor instances were repurposed as command-and-control, demonstrating extensive post-exploitation activity and misuse of legitimate management services.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]