Microsoft Threat Intelligence Center (MSTIC) said on Tuesday that a group of hackers, whom it calls “DEV-0322”, attacked SolarWinds software with zero-day exploitation. The hackers focused on SolarWinds’ Serv-U FTP software, whose supposed goal was to reach the company’s customers in the U.S. defense industry.
The zero-day attack was first detected in a routine Microsoft 365 Defender scan. The software detected an “abnormal malicious process,” which Microsoft explains in more detail its a blog, but it appears that hackers tried to make themselves Serv-U administrators among other suspicious activities.
SolarWinds reported zero-day abuse on Friday, July 9th, explaining that all Serv-U releases released on May 5 and earlier included the vulnerability. The company released a patch to address the issue, and the exploit has since been fixed, but Microsoft writes that if Serv-U’s Secure Shell (SSH) protocol is connected to the Internet, hackers could “remotely execute arbitrary code with privileges. install and run malicious payloads, or view and modify data. ”All users of older Serv-U software are encouraged to update it as soon as possible.
First hack which pushed SolarWinds into the limelight in December 2020 reveals hundreds government agencies and companies. Unlike the previous hacking, which is now widely linked to a Russian state-affiliated group of hackers called Cozy Bear, Microsoft says this zero-day attack originated in China. The DEV-0322 tends to attack “U.S. defense industry basic sector communities,” Microsoft writes, and is known for “the use of commercial VPN solutions and compromised consumer routers in its attacker infrastructure”.