Microsoft Links SolarWinds Serv-U SSH 0-Day Attack to a Chinese Hacking Group


Microsoft Threat Intelligence Center has published technical facts regarding a now-patched, 0-day remote code execution exploit affecting SolarWinds Serv-U managed file transfer service software that it has attributed with "high confidence" to a hacking group functioning out of China.

In early July, Microsoft Offensive Research & Security Engineering team addressed a remote code execution flaw (CVE-2021-35211) that was present in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be exploited by cyber criminals to execute arbitrary code on the compromised system, including the ability to install destructive programs and check out, modify, or delete delicate data. 

"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team explained in a detailed write-up describing the exploit.

"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported," the researchers added.

Though Microsoft attributed the attacks to DEV-0322, a China-based hacking group citing "observed victimology, tactics, and procedures," the firm has now disclosed the remote, pre-auth vulnerability originated from the manner the Serv-U process managed access violations without terminating the process, thereby making it straightforward to pull off stealthy, dependable exploitation tries. 

"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages,” the researchers said. 

"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation," the researchers further explained.

ASLR is a protection mechanism primarily used to protect against buffer overflow attack by randomly arranging the handle room positions where system executables are loaded into memory. 

After a thorough examination of the SolarWinds hack, Microsoft researchers advised the affected organizations to enable ASLR compatibility for all binaries loaded in the Serv-U procedure."ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U," the researchers concluded.

Last year in December, Microsoft revealed that a different espionage group may have been exploiting the IT infrastructure provider's Orion software to install a persistent backdoor called Supernova on contaminated devices. Cybersecurity firm SecureWorks attributed the intrusions to a China-linked hacking group called Spiral.