TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access

NCC Group observed TA505 exploiting CVE-2021-35211 in SolarWinds Serv-U to gain remote code execution, execute Base64 PowerShell to deploy Cobalt Strike and Clop ransomware, and persist via hijacking the RegIdleBackup scheduled task and storing a FlawedGrace RAT loader as Base64 in registry CLSID objects; the report provides detection steps (Serv-U DebugSocketlog.txt exceptions, Event ID 4104, scheduled task/CLSID checks), mitigation (update to Serv-U 15.2.3 HF2), and notes thousands of potentially vulnerable Serv-U instances (5945 in July, 2784 in October 2021).