Flaw in SolarWinds server used by Chinese hackers to target US Defense

Zero-day vulnerability in active use: SolarWinds issues a fix after Microsoft warning

The active vulnerability used on US defense companies. Supposedly by Chinese-based hackers

On Tuesday, July 13, Microsoft shared news about a hacker group who are believed to be operating from China and using a zero-day vulnerability in a SolarWinds product. It seems that hackers were targeting huge software companies and even the US Defense industry. The flaw allows remote code execution when SSH is enabled.

On Monday, July 12, SolarWinds disclosed the zero-day vulnerability, only after receiving notification from Microsoft as it was discovered that a previously unknown flaw in the SolarWinds Serv-U product line was under active exploit^[1]. Specifically, the vulnerability exists in the latest Serv-U version 15.2.3 HF1 released on May 5 of this year, as well as all prior versions.

Microsoft provided a proof-of-concept (POC) exploit to SolarWinds, demonstrating how hackers use the vulnerability. As of right now, it is believed that gangs could install programs, view, change or delete data, or run programs on the affected system^[2]. SolarWinds does not have knowledge about how many customers are affected by the flaw and targeted customers have yet to come forward.

Attackers rely on botnets and commercial VPN solutions

Microsoft communicated that they first learned about the SolarWinds vulnerability and attacks after Microsoft 365 Defender telemetry showed a normally harmless Serv-U process spawning anomalous malicious processes^[3].

The company advises everyone who believes that their device was compromised to check the Serv-U DebugSocketLog.txt log file and look for exception messages. Other ways to know about the hacked devices are:

• Recently created .txt files under the Client\\Common\\ folder.
• Serv-U spawned processes for mshta.exe, powershell.exe, cmd.exe, and processes running from C:\\Windows\\temp.
• Unrecognized global users in the Serv-U configuration.

Hackers gang based in China and known as “DEV-0322.”, “DEV” referred to as a “development group”, wasn't flying under the radar even before the recent attack.

Researchers believe attackers often rely on botnets made up of routers or other types of IoT devices. Once infected, the computer becomes part of a botnet – a network of infected, zombie-computers controlled from the distance by a cybercriminal. In this way, security is compromised^[4].

It is also known that DEV-0322 tends to target entities in the US Defense Industrial Base Sector and software companies. The gang uses commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

SolarWinds became known after the supply-chain attack in 2020

The recent attack is hardly the first time SolarWinds became the target of hackers and their threatening attacks. The software company was targeted late last year when state-sponsored APT injected malicious code into common software updates for the SolarWinds Orion network-management platform.

The attackers used their access to push a malicious update to roughly 18,000 customers, about nine of them were US government agencies and about 100 of them were private industries.

Based on the information captured from victims, the threat actors collected an enormous database of individuals and organizations who they can target over time^[5].

However, SolarWinds states that the recent zero-day attacks that Microsoft discovered and reported are unrelated to the Orion supply chain attack. The company even shared a list of products “not known to be affected by this security vulnerability” in the advisory for good measure, to keep panic at bay.