Microsoft discovers critical SolarWinds zero-day under active attack | GeekComparison

A telephone and the wall behind it share a solarwinds logo.

SolarWinds, the company at the center of a supply chain attack that compromised nine US agencies and 100 private companies, is trying to contain a new security threat: a critical zero-day vulnerability in its Serv-U product line.

Microsoft discovered the exploits and reported them privately to SolarWinds, the latter company said in an advisory published Friday. SolarWinds said the attacks have nothing to do with the supply chain attack discovered in December.

“Microsoft has provided evidence of limited, targeted customer impact, although SolarWinds currently has no estimate of the number of customers that could be directly affected by the vulnerability,” company officials wrote. “SolarWinds is not aware of the identities of the potentially affected customers.”

Only SolarWind’s Serv-U Managed File Transfer and Serv-U Secure FTP – and by extension, the Serv-U Gateway, part of these two products – are affected by this vulnerability, which could allow attackers to remotely execute malicious code on vulnerable systems.

An attacker could gain privileged access to exploited machines hosting Serv-U products and could then install programs; view, change or delete data; or run programs on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, and all previous versions.

SolarWinds has released a hotfix to mitigate the attacks while the company works on a permanent fix. People using Serv-U version 15.2.3 HF1 should apply hotfix (HF) 2; those using Serv-U 15.2.3 should apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2; and those using Serv-U versions prior to 15.2.3 should upgrade to Serv-U 15.2.3, apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2. The company says customers should install the fixes immediately.

The hotfixes are available here. Disabling SSH access also prevents abuse.

The federal government has blamed last year’s supply chain attack on hackers working for Russia’s foreign intelligence agency, abbreviated as the SVR, which has been running malware campaigns targeting governments, political think tanks and other organizations in Germany, among others, for more than a decade. Uzbekistan, South Korea and the USA. Targets included the United States Department of State and the White House in 2014.

The hackers used that access to push a malicious software update to about 18,000 customers of SolarWinds’ Orion network management product. Of those customers, approximately 110 received a follow-up attack that installed a later stage that exfiltrated proprietary data. The malware installed in the attack campaign is known as Sunburst. Again, SolarWinds said the ongoing exploits are now unrelated.

Late last year, zero-day vulnerabilities in SolarWinds’ Orion product were exploited by another set of attackers that researchers have linked to the Chinese government. Those attackers installed malware that researchers call SuperNova. Threat actors associated with China have also targeted SolarWinds. At least one US government agency was targeted in this operation.

Post updated to correct the Russian bureau.

Leave a Comment