Microsoft’s Threat Intelligence Center (MSTIC) reported on Tuesday that the SolarWinds software was attacked with a zero-day exploit by a group of hackers it calls “DEV-0322.” The hackers were focused on SolarWinds’ Serv-U FTP software, with the supposed goal of gaining access to the company’s customers in the US defense industry.
The zero-day attack was first detected in a routine Microsoft 365 Defender scan. The software noticed a “deviant malicious process” that Microsoft explains in more detail in its blog, but it seems that the hackers tried to make themselves Serv-U administrators, including suspicious activity.
SolarWinds reported zero-day utilization on Friday 9th. July and explained that all Serv-U releases from May 5 and earlier contained the vulnerability. The company released a hotfix to fix the problem, and exploitation has since been patched, but Microsoft writes that if the Serv-Us Secure Shell (SSH) protocol connected to the Internet, hackers could “remotely run arbitrary code with privileges so that they could perform actions such as installing and running malicious payloads, or viewing and modifying data. ”Anyone running older Serv-U software is encouraged to update it as soon as possible.