SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks
In a sophisticated multi-stage campaign, attackers have exploited vulnerabilities in SolarWinds Web Help Desk to achieve remote code execution on exposed servers, enabling persistent access and lateral movement within victim networks.
Attack Mechanics
Attackers initiate the campaign by scanning for internet-facing SolarWinds Web Help Desk instances, targeting versions prior to 12.7.7 HotFix 1. The primary entry point leverages CVE-2026-xxxx, an authentication bypass flaw that allows unauthenticated access to administrative functions. Once inside, threat actors upload a malicious Java servlet exploiting a deserialization vulnerability, triggering remote code execution. This servlet establishes a reverse shell connection to a command-and-control server, granting attackers shell-level access.
Post-Exploitation Tactics
Following initial foothold, attackers deploy a custom PowerShell-based loader that enumerates system privileges, disables Windows Defender real-time protection via registry modifications at HKLM\SOFTWARE\Policies\Microsoft\Windows Defender, and creates a scheduled task for persistence named “WindowsUpdateCheck” running every 15 minutes. The loader fetches second-stage payloads, including a Cobalt Strike beacon disguised as a legitimate DLL, which facilitates keylogging, screenshot capture, and credential dumping from LSASS using MiniDumpWriteDump API calls.
Technical Indicators and Mitigation
Indicators of compromise include network traffic to domains like helpdesk-update[.]com on port 443, anomalous Java processes spawning cmd.exe, and files such as updateServlet.war in the webapps directory. Organizations should immediately patch to version 12.7.7 HotFix 1 or later, implement network segmentation for help desk servers, enforce principle of least privilege, and deploy endpoint detection rules for servlet uploads and PowerShell obfuscation patterns.
Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Data
Dutch authorities have verified that a zero-day vulnerability in Ivanti products was exploited to expose contact details of government employees, highlighting ongoing risks in enterprise access management gateways.
Vulnerability Details
The exploit targeted CVE-2026-yyyy, a path traversal flaw in Ivanti Connect Secure and Policy Secure gateways, allowing arbitrary file reads without authentication. Attackers chained this with a command injection primitive to extract sensitive configuration files, including user databases stored in /var/db/polman.sdb, revealing plaintext employee names, emails, phone numbers, and department affiliations for over 1,200 personnel.
Exploitation Timeline and Scope
Initial exploitation occurred in late January 2026, with attackers using stolen N-day exploits from underground markets. The campaign involved reconnaissance scans followed by file exfiltration via HTTP POST requests to external C2 servers. Dutch NCSC confirmed no evidence of deeper network compromise, but the exposed data has fueled targeted phishing against affected employees.
Defensive Measures
Apply Ivanti’s emergency patches SB20260201 and subsequent updates, which introduce input sanitization and file access controls. Enable logging for /auth/login.cgi endpoints, monitor for anomalous 404 errors on traversed paths, and consider web application firewalls with custom rules blocking directory traversal payloads like “../../../etc/passwd”. Conduct full compromise assessments using tools like BloodHound for Active Directory enumeration.
UNC3886 Targets Singapore Telecoms with Advanced Persistence
Threat group UNC3886 has launched targeted attacks against Singapore telecommunications providers, deploying custom malware for espionage and data exfiltration from core network infrastructure.
Initial Access Vectors
UNC3886 gains footholds via spear-phishing emails containing LNK files that chain to PowerShell droppers exploiting living-off-the-land binaries like bitsadmin.exe for payload staging. Alternative vectors include exploitation of unpatched Cisco IOS XE appliances using zero-days akin to CVE-2023-20198.
Malware Arsenal
Deployed implants feature kernel-level rootkits hiding processes via DKOM techniques on SSDT hooks, modular C2 over DNS tunneling using TXT records for command issuance, and fileless execution in memory via reflective DLL injection. Persistence achieves through WMI event subscriptions triggering on logon events, executing payloads from %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
Impact and Recommendations
Compromised telecom nodes enabled traffic interception of SMS and voice metadata for select high-value targets. Mitigate by segmenting management VLANs, implementing zero-trust access with mTLS for admin interfaces, hunting for anomalous DNS queries with high entropy, and deploying EDR with hypervisor-level monitoring for rootkit activity.
AISURU Botnet Launches Record 31.4 Tbps DDoS Attack
The AISURU/Kimwolf botnet executed a unprecedented 31.4 Tbps DDoS attack lasting 35 seconds, overwhelming target infrastructure through massive volumetric amplification.
Botnet Architecture
AISURU comprises over 500,000 compromised IoT devices, primarily Memcached servers and CLDAP reflectors misconfigured for open recursion. Infection spreads via weak Telnet credentials and UPnP exploits, with C2 managed over Tor onion services issuing attack commands encoded in base64 payloads.
Attack Execution
The assault utilized multi-vector amplification: UDP floods spoofed with victim IPs reflecting off 10,000+ amplifiers achieving factors up to 50,000x, combined with HTTP/2 rapid reset vectors exhausting server resources. Peak bandwidth hit 31.4 Tbps inbound, saturating 400Gbps links and causing 100% packet loss for 45 seconds post-attack due to residual effects.
Resilience Strategies
Deploy DDoS scrubbing centers with BGP anycast, rate-limit UDP ports 11211 (Memcached) and 389 (CLDAP), implement client-side certificates for IoT device authentication, and monitor for sudden entropy spikes in UDP source ports indicative of reflection abuse.