Microsoft has recently identified a series of attacks on SolarWinds’ Serv-U managed file transfer service, which were executed using a now-resolved remote code execution (RCE) vulnerability attributed to a Chinese threat group known as “DEV-0322.” This announcement follows SolarWinds’ emergency patches aimed at countering an exploit that could have allowed unauthorized execution of arbitrary code, granting attackers the ability to install malicious software or manipulate sensitive data.
The identified RCE flaw, logged as CVE-2021-35211, is embedded within the Secure Shell (SSH) protocol architecture of Serv-U. Although initial reports indicated a limited impact from these attacks, SolarWinds noted that it remains unaware of the specific identities of potentially affected users.
In assessing the threat landscape, Microsoft’s Threat Intelligence Center (MSTIC) has confidently linked these intrusions to DEV-0322, based on their operational patterns, victim selection, and tactics employed. This group is recognized for targeting entities within the U.S. Defense Industrial Base Sector, as well as prominent software firms.
MSTIC has indicated that DEV-0322 is based in China and has been observed utilizing commercial VPNs and compromised consumer routers as part of its infrastructural setup for executing attacks. The discovery of the zero-day exploit followed the detection of numerous suspicious processes originating from the main Serv-U process, signaling a successful breach.
This marks the second incident wherein a hacking group from China has effectively leveraged vulnerabilities in SolarWinds’ products for targeted cyber-attacks against corporate networks. Previously, in December 2020, Microsoft pointed to a separate espionage group that exploited SolarWinds’ Orion software to deploy a persistent backdoor known as Supernova, which has since been associated with a threat actor linked to China named Spiral.
Businesses concerned about their cybersecurity posture can refer to SolarWinds’ revised advisory for sharing additional indicators of compromise related to this attack, found here. It is critical to note that, while the attackers did not exploit the SolarWinds vulnerability to target specific defense and software firms, precise details regarding the victims of this zero-day attack have yet to be disclosed.
