Microsoft has sounded yet another alarm over a zero-day vulnerability affecting SolarWinds Serv-U FTP software that is being exploited by Chinese hackers to carry our remote code execution and run malicious payloads in targeted environments.
In a blog post published on Tuesday, Microsoft said it detected a zero-day remote code execution exploit being used by Chinese threat actors to attack SolarWinds Serv-U FTP software in limited and targeted attacks. This exploitation was carried out soon after SolarWinds released a security update for a zero-day vulnerability in Serv-U FTP servers.
According to Microsoft, DEV-0322, a China-based threat actor group, is believed to be behind these attacks. Microsoft was able to attribute the attacks to the hacker group after observing its victimology, tactics, and procedures.
Microsoft has reported this exploitation to SolarWinds and stated that the vulnerability is in Serv-U’s implementation of the Secure Shell (SSH) protocol. If the SSH is exposed to the internet, it will give the attackers access to “remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data.”
After being notified by Microsoft, SolarWinds released a fix related to Serv-U Managed File Transfer Server and Serv-U Secured FTP security vulnerability. SolarWinds has also confirmed that the vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions.
The company said that only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows are affected by this vulnerability and that the Linux versions of these products are not vulnerable to an RCE exploit of this security vulnerability. The Linux version of the Serv-U product crashes when the exploit is attempted by a threat actor.
In the blog post, Microsoft said that hacker group DEV-0322 is exploiting the SolarWinds vulnerability to target entities in the U.S. Defense Industrial Base Sector and software companies. This group, based in China, has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
Commenting on the exploitation of yet another vulnerability in a Solarwinds software, Lewis Jones, threat intelligence analyst at Talion, says that this is not the first time that Chinese threat actors have targeted SolarWinds. After the large-scale supply chain attack against SolarWinds in 2020, it was widely reported that a Chinese threat group had exploited the vulnerability in SolarWinds’ Orion product as part of a campaign that targeted at least one US government organisation.
“China has spent the last 20+ years utilizing the cyber landscape, to progressively become one of the world’s most sophisticated and consistent cyber threats. Due to China’s top provocation of espionage, government agencies and defence have been high-level targets, aiming to steal intellectual property and sensitive/classified information. The recommendations are simple, implement the patch as swiftly as possible and follow the suggested actions to check for any indication of compromise,” he adds.