APT

China-linked hacking group DEV-0322 behind Solarwinds Serv-U zero-day attacks

Microsoft attributes the recent attacks that have targeted SolarWinds file transfer servers to a China-linked APT group that the experts tracked as DEV-0322.

Microsoft said that the recent attacks against SolarWinds file transfer servers were carried out by a Chinese hacking group tracked as DEV-0322.

This week SolarWinds addressed a zero-day remote code execution flaw (CVE-2021-35211) in Serv-U products which is actively exploited in the wild by a single threat actor.

SolarWinds was informed of the zero-day by Microsoft, the issue affects Serv-U Managed File Transfer Server and Serv-U Secured FTP. According to Microsoft, the flaw was exploited in attacks against a limited, targeted set of customers by a single threat actor.

The issue resides in Serv-U version 15.2.3 HF1 and all prior versions, the vendor released Serv-U version 15.2.3 hotfix (HF) 2 to fix the issue. All other SolarWinds and N-able (formerly SolarWinds MSP) are not affected by this issue, including the Orion Platform, and all Orion Platform modules. 

“Microsoft reported to SolarWinds that they had discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product. Microsoft provided a proof of concept of the exploit. If exploited, a threat actor may be able to gain privileged access to the threat actor on the machine hosting Serv-U.” reads the advisory published by SolarWinds. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability.”

The experts pointed out that this issue is not linked to the SolarWinds supply chain attack.

Now Microsoft provided further details about the attacks and the attack chain used by the threat actors.

The researchers refer to the threat actor as a DEV, which means that it is classified as a “development group,” and assign each DEV group a unique number (DEV-####) for tracking purposes. Microsoft has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. According to the experts, the APT group is based in China and employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation. 

“MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised.” reads the post published by Microsoft.

Microsoft also provided detection guidance to allow admins to check for indicators of compromise within their infrastructure.

“Customers should review the Serv-U DebugSocketLog.txt log file for exception messages like the line below. A C0000005; CSUSSHSocket::ProcessReceive exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.” continues Microsoft.

This isn’t the first time that Chinese hacking groups target SolarWinds solutions, experts also spotted another China-linked APT group, tracked as Spiral, targeting the vendor.

Researchers at Secureworks’ counter threat unit (CTU) were investigating the exploit of SolarWinds servers to deploy the Supernova web shell when collected evidence that linked the malicious activity to the Spiral cyberespionage group.

The attackers were observed exploiting the CVE-2020-10148 authentication bypass issue in the SolarWinds Orion API to remotely execute API commands.

Once the attackers have exploited the issue on a vulnerable server, they have deployed the Supernova web shell to disk using a PowerShell command.

SolarWinds customers using Serv-U file transfer servers have to install their company’s patch, the company also recommends disabling SSH access to the server as temporary mitigation.

Unfortunately, the number of SolarWinds Serv-U systems that exposed the SSH port online is still high and hasn’t decreased since the disclosure of the recent wave of attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

17 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.