On Tuesday, Microsoft revealed that Chinese hackers exploited a zero-day vulnerability in a SolarWinds product. According to Microsoft, the hackers were almost certainly targeting software companies and the US defense industry.
SolarWinds disclosed the zero-day vulnerability on Monday. After receiving notification from Microsoft, a previously unknown vulnerability in the SolarWinds Serv-U product actively line exploited.
They identified its exploit features but not a root-cause vulnerability by reviewing telemetry. MSTIC collaborated with the Microsoft Offensive Security Research team. They conducted vulnerability research on the Serv-U binary and discovered the vulnerability using black-box analysis.
Microsoft announced on Tuesday that the hacking group would designate as DEV-032 for the time being. The term “DEV” refers to a “development group” studied before Microsoft researchers who have a high level of confidence in the origin or identity of the actor behind an operation. According to the company, the attackers are physically located in China and frequently rely on botnets comprised of routers or other IoT devices.
MSTIC has observed DEV-0322 targeting entities in the US Defense Industrial Base Sector and software companies, Microsoft Threat Intelligence Center researchers wrote in a blog post. This activity group is based in China and has been seen using commercial VPN solutions and compromised consumer routers as part of their attacker infrastructure.
The zero-day vulnerability
The CVE-2021-35211 zero-day vulnerability found in SolarWinds’ Serv-U product. Customers use to transfer files across networks. Exploits allow attackers to remotely run malicious code with high system privileges when the Serv-U SSH is exposed. From there, attackers can install and execute malicious payloads, as well as view and modify data.
SolarWinds became a household name overnight in late December after researchers discovered it was at the heart of a global supply chain attack. After infiltrating SolarWinds’ software development system, the attackers used their access to distribute a malicious update to approximately 18,000 customers of the company’s Orion network management tool.
Approximately nine of the 18,000 customers in US government agencies and about 100 in the private industry received follow-up malware. The federal government has blamed the attacks on Russia’s Foreign Intelligence Service, known as the SVR. The SVR has been conducting malware campaigns against governments, political think tanks, and other organizations for more than a decade.
Microsoft’s discovery and reporting of zero-day attacks have nothing to do with the Orion supply chain attack.
Lastly, over the weekend, SolarWinds patched the vulnerability. Anyone using a vulnerable version of Serv-U should update right away and look for signs of compromise.