Microsoft’s Threat Intelligence Center (MSTIC) reported on Tuesday that the SolarWinds software was attacked with a zero-day exploit by a hacking group called “DEV-0322”. The hackers focused on SolarWinds’ Serv-U FTP software with the alleged aim of gaining access to the company’s customers in the US defense industry.
The zero-day attack was first discovered in a routine Microsoft 365 Defender scan. The software detected an “abnormally malicious process,” which Microsoft explains in more detail in his blog, but it appears that the hackers tried to make themselves Serv-U administrators, among other suspicious activity.
SolarWinds reported the zero-day exploit on Friday July 9thwhich explains that all Serv-U releases dated May 5 and earlier contained the vulnerability. The company released a hotfix to address the issue, and the exploit has since been patched, but Microsoft writes that when Serv-U’s Secure Shell (SSH) protocol is connected to the Internet, the hackers “generated arbitrary code with permissions to perform remotely, allowing them to perform actions like installing and running malicious payloads or viewing and modifying data. ”Anyone using older Serv-U software is encouraged to update it as soon as possible.
The first hack which put SolarWinds in the spotlight in December 2020 Hundreds exposed by authorities and companies. Unlike the previous hack, which is now linked to a Russian state-owned hacker group called Cozy Bear, Microsoft says this zero-day attack originated in China. DEV-0322 has made it a habit to attack “units in the US defense industry base sector”, writes Microsoft and is known for using “commercial VPN solutions and compromised consumer routers in their attacker infrastructure”.