Contents:
The presumed China-based hackers are using the SolarWinds Zero-day Vulnerability in Serv-U FTP server.
SolarWinds has just released a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to the company, the vulnerability was disclosed to Microsoft as it was observed that the vulnerability was actively exploited in order to execute commands on vulnerable customer’s devices.
Microsoft disclosed the fact that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’
DEV-0322 is a name provided by MSTIC to an unidentified threat actor. The malicious actor is defined as a “development group” or “DEV group” and MSTIC assigns each DEV group a unique number (DEV-####) for tracking purposes.
It was observed that DEV-0322 is targeting the entities in the U.S. Defense Industrial Base Sector and software companies.
It’s interesting to note that the group seems to be based in China and was observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
This threat group targets publicly exposed Serv-U FTP servers belonging to entities in the US Defense Industrial Base Sector and software companies.
The DIB Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Microsoft 365 Defender Telemetry Detected the Attacks
It seems that Microsoft learned about the attacks soon after Microsoft 365 Defender telemetry showed a normally harmless Serv-U process spawning anomalous malicious processes.
We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands.
Other commands would be able to add a global admin user to the Serv-U FTP server configuration or launch batch files and scripts to likely install malware on the devices for persistence and remote access.
Users can check if their devices were compromised by verifying the Serv-U DebugSocketLog.txt log file and check for exception messages, like the “C0000005; CSUSSHSocket::ProcessReceive” exception that could indicate the fact that the threat actors attempted to exploit the Serv-U server.
According to Microsoft some other signs that could show that a device may have been compromised are:
- Recently created .txt files under the Client\Common\ folder.
- Serv-U spawned processes for mshta.exe, powershell.exe, cmd.exe, and processes running from C:\Windows\temp.
- Unrecognized global users in the Serv-U configuration.