Home / Technology / Microsoft attributes new SolarWinds attacks to a Chinese hacker group

Microsoft attributes new SolarWinds attacks to a Chinese hacker group

Microsoft’s Threat Intelligence Center (MSTIC) reported on Tuesday that the SolarWinds software was attacked with a zero-day exploit by a group of hackers it calls “DEV-0322.” The hackers were focused on SolarWinds’ Serv-U FTP software, with the supposed goal of gaining access to the company’s customers in the US defense industry.

The zero-day attack was first detected in a routine Microsoft 365 Defender scan. The software noticed a “deviant malicious process” that Microsoft explains in more detail in its blog, but it seems that the hackers tried to make themselves Serv-U administrators, including suspicious activity.

SolarWinds reported zero-day utilization on Friday 9th. July and explained that all Serv-U releases from May 5 and earlier contained the vulnerability. The company released a hotfix to fix the problem, and exploitation has since been patched, but Microsoft writes that if the Serv-Us Secure Shell (SSH) protocol connected to the Internet, hackers could “remotely run arbitrary code with privileges so that they could perform actions such as installing and running malicious payloads, or viewing and modifying data. ”Anyone running older Serv-U software is encouraged to update it as soon as possible.

The first hack that threw SolarWinds into the spotlight in December 2020 revealed hundreds of government agencies and companies. Unlike the previous hacking, which is now widely linked to a Russian government-affiliated group of hackers called Cozy Bear, Microsoft says that this zero-day attack originated in China. DEV-0322 has made it a habit to attack “devices in the US defense industry base sector”, writes Microsoft, and is known for “using commercial VPN solutions and compromised consumer routers in its attacker infrastructure.”

Source link