Chinese Hackers Exploit New SolarWinds Zero-Day in Targeted Attacks


Microsoft Threat Intelligence Centre (MSTIC) on Tuesday revealed a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. Microsoft revealed that the attacks are linked to a China-based threat group tracked as 'DEV-0322.' 

“MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures," Microsoft said in an update on Wednesday.

To carry out the attack, threat actors deployed malware in the Orion software sold by the IT management company SolarWinds. According to the local media outlets, the hackers exploited at least 250 federal agencies and top organizations in the US. 

Tracked as CVE-2021-35211, the RCE vulnerability resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's unaware of the identity of the potentially affected customers. 

“The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version," Microsoft advised. 

On Tuesday, SolarWinds published a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to SolarWinds, this flaw was disclosed by Microsoft, who saw a hacker actively exploiting it to execute commands on vulnerable customer's devices.

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," says a new blog post by the Microsoft Threat Intelligence Center. 

According to Microsoft, the ‘DEV-0322’ hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies. "The Defense Industrial Base (DIB) Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements," explains a CISA document describing the DIB sector.

In December 2020, Microsoft revealed that a separate espionage group may have been exploiting the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on compromised systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.