Posted on July 14, 2021 at 2:27 PM
Microsoft’s Threat Intelligence Center has discovered a new zero-day vulnerability in the SolarWinds software. According to the report, the software is being exploited by a Chinese hacking syndicate.
However, the recent bug discovered by the Microsoft security team involves the Serv-U file transfer protocol.
The China-linked APT group has been tracked by security experts as DEV-0322.
SolarWinds, this week, warned about the zero-day vulnerability called CVE-2-21-35211 in the Serv-U products which has been exploited by a single threat actor.
The bug was exploited on few targeted customers
Microsoft informed Solarwinds about the zero-day, stating that the issue impacts the Serv-U Secured FTP and the Serv-U Managed File Transfer Server. According to the tech giant, the vulnerability was exploited on a small set of targeted customers.
Microsoft also provided a proof of concept of the exploit, saying that an attacker could have privilege access to the network on the device hosting Serv-U. While Microsoft has shown evidence of the exploit, SolarWinds says it hasn’t been able to prove that customers will be directly affected by the vulnerability.
However, the security experts noted that the recent issue is not connected to the SolarWinds supply chain attack.
Hackers are employing commercial VPN solutions
Microsoft has also offered more insights into the threat and its susceptibility. According to the researchers, who referred to the threat as DEV, each group is assigned a unique number for tracking. Microsoft says it has discovered DEV-0322 launching attacks on software firms and U.S. Defense Industrial Base Sector.
The threat actors targeting the vulnerability are employing vulnerable consumer routes and commercial VPN solutions in their attacking methods. This shows the level of seriousness and preparation the threat actors have made to become successful in the new wave of attack. While any serious attack has not been identified yet, Microsoft is advising companies to take proactive measures to avoid becoming victims of the new attacking scheme.
Microsoft said it first discovered the DEV-0322 attacks during a routine investigation when it was analyzing the Microsoft 365 Defender telemetry.
“MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation,” Microsoft researchers stated. The tech giant has also laid out detection guidance to enable administrators to verify if there are any indications of infiltrations within their infrastructure.
Customers should review their logs for exploits
Customers have been asked to examine the Serv-U DebugSocketLog.txt log file for a trace of any message indicating a compromise. For example, an exception message like CSUSSHSocket::ProcessReceive can show that a threat actor tried to exploit the system. However, sometimes such a message may show for reasons not related to exploitation. But if the customer sees an exception, they should review their logs for indicators or behaviors linking to infiltrations or compromise.
This is not the first time that the China-linked hacking syndicate has targeted SolarWinds solutions. Recently, the APT group, named Spiral was seen targeting the vendor.
The recent investigation researchers at the counter threat unit (CTU) of Secureworks revealed that the threat actors deployed the Supernova web shell during the attack.
The threat actors were exploiting the CVE-2020-10148 vulnerability in the SolarWinds Orion API to execute API commands remotely.
After successfully exploiting the vulnerability, they use the PowerShell command to deliver the Supernova web shell to the targeted devices.
Microsoft has advised the SolarWinds customers that use the Serv-U file transfer servers to update their system with the patch provided. It also recommended the customers disable the SSH access to the server.
Microsoft says it discovered some features of the exploit. However, it did not discover the root cause of the bug. It used the black box analysis to discover the Serv-U binary.
The U.S. government blamed the SolarWinds attack on Russia’s Foreign Intelligence Service, abbreviated as SVR. The group has carried out malware campaigns for over ten years, targeting political think tanks, governments, and other vital organizations around the world.