Microsoft has shared additional details on attacks exploiting a recently patched zero-day vulnerability in the SolarWinds Serv-U FTP server. According to the tech giant, the vulnerability was targeted in a campaign conducted by a threat actor tracked as DEV-0322, which operates out of China and was previously observed targeting entities in the U.S. Defense Industrial Base Sector and software companies.
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” Microsoft said.
Over the weekend, SolarWinds released a security update to address a zero-day vulnerability (CVE-2021-35211) impacting Serv-U 15.2.3 HF1 and all prior Serv-U versions. The flaw exists in Serv-U’s implementation of the Secure Shell (SSH) protocol.
“If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data,” according to Microsoft.
The company said it discovered the DEV-0322 attacks after its Microsoft 365 Defender solution detected malicious processes spawning from Serv-U’s main application, which prompted an investigation that resulted in discovery of the zero-day vulnerability and the ongoing attacks.
"We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands," Microsoft explained in a blog post.
The threat actor has been also observed adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.
A Censys search query has shown that there are 8,344 SolarWinds Serv-U systems with SSH port exposed online.