A few weeks ago, experts identified a severe zero-day remote code execution exploit aimed at SolarWinds Serv-U FTP software. Researchers have now disclosed details about the attacker.

What has happened?

Recently, Microsoft linked a limited and highly targeted attack on SolarWinds with a Chinese threat actor – DEV-0322.
  • It begins abusing Serv-U servers by connecting to the open SSH port and then, sends a malicious pre-auth connection request to run its malicious code and take control of exposed devices.
  • Some Serv-U binaries were not protected by the ASLR (Address Space Layout Randomization) feature, thus allowing attackers to exploit them.
  • Microsoft did not provide information regarding post-infiltration activities of the actor, such as cyberespionage, intelligence collection, or cryptomining.
  • But, it provided technical details regarding the zero-day flaw exploitation by the attackers. The flaw, whose patch is out now, was tracked as CVE-2021-35211.

Chinese threat actors and SolarWinds

It is not the first time that a SolarWinds flaw is being exploited by Chinese threat actors. In February of this year, an investigation found SolarWinds flaws being abused by Chinese hackers.
  • Secureworks, the security firm that discovered the attacks, named the threat group Spiral (based in China).
  • The Spiral threat group exploited a zero-day flaw in the Orion IT monitoring platform. The flaw tracked as CVE-2020-10148 allows authentication bypass by remote command execution.

Conclusion

Attackers seem to have found some special interest in SolarWinds, as several threat actors have been attempting to target the company’s products for a long time. To prevent the exploitation of the Serv-U FTP flaw by DEV-0322 or any other threat actor, keeping the application up-to-date is very important. SolarWinds has already released an advisory, which should be implemented as soon as possible.

Cyware Publisher

Publisher

Cyware