Thursday08 December 2022

SolarWinds Says Remove Web Help Desk from Public Access to Avoid Possible Attack

Reading time is around minutes.

Recently a SolarWinds Web Help Desk client reported an attempted attack on their externally facing Web Help Desk instance. The attack was caught by their EDR system which was able to block the attempt. However, the reported attack, after a review, has caused concern with SolarWinds who is now advising their customers to remove public access to avoid possible compromise.

The advisory from SolarWinds, which is being made from an “abundance of caution”, might seem a bit out of pattern. However, after recent events related to other SolarWinds Products seems to be a much more proactive response and one that could indicate there is a potential pattern in the attack that is concerning. SolarWinds also recommended the installation of EDR agents/software on any Web Help Desk installations that cannot be blocked form public access (this should already be the case anyway).

Web Help Desk is SolarWinds’ ticketing and IT inventory management software. Because it can provide quick access to information about a target organization and potentially access into a network via the publicly exposed side it is a nice target.

No details on the originally attacked customer have been released, but there are several vulnerabilities in WHD below version 12.7.6 that could allow an attacker to compromise the system and gain a foothold in the hosting network. SolarWinds has said they will continue to investigate the attack to ensure there is not a larger issue. They also do not believe that other WHD customers are currently affected, which is an odd thing to say given the extreme response to the single reported attack.

As always organizations are advised to secure their externally facing resources with Web Application Firewalls, EDR installed on all systems, and to ensure that the latest updates are installed to prevent exploit of a known vulnerability.

Happy patching

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.