Security news that informs and inspires

Chinese Attack Group Exploiting SolarWinds Zero Day

Microsoft recently discovered an attack group operating from China exploiting a previously unknown vulnerability in the SolarWinds Serv-U products to target a small number of organizations. The vulnerability can lead to remote code execution, and SolarWinds has released a fix for it in a new update after MIcrosoft informed the company of the attacks.

The bug affects SolarWinds Serv-U Manages File Transfer and Secure FTP products and it lies in the implementation of SSH in those products. Microsoft said the attack group that was exploiting it has been known to target companies in defense and software sectors in the past. Microsoft calls the group DEV-0322, but didn’t identify it aside from saying it operates from China. The Microsoft Threat Intelligence Center gave the details of the exploit and the underlying vulnerability to SolarWinds and worked with the company to help mitigate the attacks.

“MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised,” Microsoft said.

“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.”

The vulnerability affects version 15.2.3 HF1 of the Serv-U software, and SolarWinds is urging customers to install the new update as soon as possible.

“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers,” SolarWinds said.