14 July 2021

Microsoft says new SolarWinds zero-day was exploited by China-based threat actor


Microsoft says new SolarWinds zero-day was exploited by China-based threat actor

Microsoft has shared additional details on attacks exploiting a recently patched zero-day vulnerability in the SolarWinds Serv-U FTP server. According to the tech giant, the vulnerability was targeted in a campaign conducted by a threat actor tracked as DEV-0322, which operates out of China and was previously observed targeting entities in the U.S. Defense Industrial Base Sector and software companies.

“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” Microsoft said.

Over the weekend, SolarWinds released a security update to address a zero-day vulnerability (CVE-2021-35211) impacting Serv-U 15.2.3 HF1 and all prior Serv-U versions. The flaw exists in Serv-U’s implementation of the Secure Shell (SSH) protocol.

“If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data,” according to Microsoft.

The company said it discovered the DEV-0322 attacks after its Microsoft 365 Defender solution detected malicious processes spawning from Serv-U’s main application, which prompted an investigation that resulted in discovery of the zero-day vulnerability and the ongoing attacks.

"We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands," Microsoft explained in a blog post.

The threat actor has been also observed adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.

A Censys search query has shown that there are 8,344 SolarWinds Serv-U systems with SSH port exposed online.


Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021