China-linked hacking group DEV-0322 behind Solarwinds Serv-U zero-day attacks

Microsoft attributes the recent attacks that have targeted SolarWinds file transfer servers to a China-linked APT group that the experts tracked as DEV-0322.

Microsoft said that the recent attacks against SolarWinds file transfer servers were carried out by a Chinese hacking group tracked as DEV-0322.

This week SolarWinds addressed a zero-day remote code execution flaw (CVE-2021-35211) in Serv-U products which is actively exploited in the wild by a single threat actor.

SolarWinds was informed of the zero-day by Microsoft, the issue affects Serv-U Managed File Transfer Server and Serv-U Secured FTP. According to Microsoft, the flaw was exploited in attacks against a limited, targeted set of customers by a single threat actor.

The issue resides in Serv-U version 15.2.3 HF1 and all prior versions, the vendor released Serv-U version 15.2.3 hotfix (HF) 2 to fix the issue. All other SolarWinds and N-able (formerly SolarWinds MSP) are not affected by this issue, including the Orion Platform, and all Orion Platform modules. 

“Microsoft reported to SolarWinds that they had discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product. Microsoft provided a proof of concept of the exploit. If exploited, a threat actor may be able to gain privileged access to the threat actor on the machine hosting Serv-U.” reads the advisory published by SolarWinds. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability.”

The experts pointed out that this issue is not linked to the SolarWinds supply chain attack.

Now Microsoft provided further details about the attacks and the attack chain used by the threat actors.

The researchers refer to the threat actor as a DEV, which means that it is classified as a “development group,” and assign each DEV group a unique number (DEV-####) for tracking purposes. Microsoft has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. According to the experts, the APT group is based in China and employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation. 

“MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised.” reads the post published by Microsoft.

Microsoft also provided detection guidance to allow admins to check for indicators of compromise within their infrastructure.

“Customers should review the Serv-U DebugSocketLog.txt log file for exception messages like the line below. A C0000005; CSUSSHSocket::ProcessReceive exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.” continues Microsoft.

This isn’t the first time that Chinese hacking groups target SolarWinds solutions, experts also spotted another China-linked APT group, tracked as Spiral, targeting the vendor.

Researchers at Secureworks’ counter threat unit (CTU) were investigating the exploit of SolarWinds servers to deploy the Supernova web shell when collected evidence that linked the malicious activity to the Spiral cyberespionage group.

The attackers were observed exploiting the CVE-2020-10148 authentication bypass issue in the SolarWinds Orion API to remotely execute API commands.

Once the attackers have exploited the issue on a vulnerable server, they have deployed the Supernova web shell to disk using a PowerShell command.

SolarWinds customers using Serv-U file transfer servers have to install their company’s patch, the company also recommends disabling SSH access to the server as temporary mitigation.

Unfortunately, the number of SolarWinds Serv-U systems that exposed the SSH port online is still high and hasn’t decreased since the disclosure of the recent wave of attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]