Chinese Hackers Exploited Latest SolarWinds 0-Day in Targeted Attacks

Cyber Security

Microsoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution (RCE) exploit is the handiwork of a Chinese threat actor dubbed “DEV-0322.”

The revelation comes days after the Texas-based IT monitoring software maker issued fixes for the flaw that could enable adversaries to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads or view and alter sensitive data.

Tracked as CVE-2021-35211, the RCE flaw resides in Serv-U’s implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it’s “unaware of the identity of the potentially affected customers.”

Stack Overflow Teams

Attributing the intrusions with high confidence to DEV-0322 (short for “Development Group 0322”) based on observed victimology, tactics, and procedures, Microsoft Threat Intelligence Center (MSTIC) said the adversary singled out entities in the U.S. Defense Industrial Base Sector and software companies.

SolarWinds 0-Day

“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” according to MSTIC, which discovered the zero-day after it detected as many as six anomalous malicious processes being spawned from the main Serv-U process, suggesting a compromise.

The development also marks the second time a China-based hacking group has exploited vulnerabilities in SolarWinds software as a fertile field for targeted attacks against corporate networks.

Enterprise Password Management

Back in December 2020, Microsoft disclosed that a separate espionage group may have been taking advantage of the IT infrastructure provider’s Orion software to drop a persistent backdoor called Supernova on infected systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.

Additional indicators of compromise associated with the attack can be accessed from SolarWinds’ revised advisory here.

Articles You May Like

ESA Says Expects Strong NASA Support After Mars Mission Suspended Due to Ukraine War
Apple iOS 16 to Bring Message Filter for Dual-SIM iPhones; Reportedly Fixing Edit Message Feature
Gotham Knights Map Size: The ‘Biggest Version’ of Batman’s City in a Game Ever
Apple Back to School 2022 Sale: Discounts on iPad Air, MacBook Pro, AirPods, More in India
Amazon Offering Fire TV Stick With a Wireless Game Controller in India to Attract Casual Gamers