Chinese hackers attack victims through 0-day vulnerability in SolarWinds Serv-U FTP

Chinese hackers attack victims through 0-day vulnerability SolarWinds Serv-U FTP

We are talking about the recently fixed vulnerability of the remote code execution CVE-2021-35211 in the implementation of the SSH protocol.

Microsoft discovered that a zero-day vulnerability in SolarWinds Serv-U FTP was being exploited in targeted attacks against a limited number of victims. Based on victimology, techniques, tactics and procedures, the Microsoft Threat Intelligence Center (MSTIC) attributed the attacks to the DEV-0322 cybercriminal group operating from China.

We are talking about the recently fixed remote code execution vulnerability CVE-2021-35211 , which affects the implementation of the Secure Shell (SSH) protocol in Serv-U. If the SSH implementation in Serv-U is available over the Internet, an attacker will be able to exploit the vulnerability and remotely run arbitrary code with privileges on the system, which will enable him to install and run malware, as well as view and modify data. Therefore, users are strongly advised to update their Serv-U installations to the latest available version.

According to MSTIC experts, the DEV-0322 cybercriminal group is targeting the US defense industry and software companies. The attackers operate from China and use commercial VPN solutions and compromised routers in their attacks.

MSTIC discovered attacks using the aforementioned vulnerability in a routine analysis of Microsoft 365 Defender telemetry. As it turned out, the Serv-U process spawned abnormal malicious processes, which indicated that Serv-U was compromised.

DEV-0322 sent the outgoing data of its commands in cmd.exe files to the Serv-U \ Client \ Common \ folder, accessible via the Internet by default, so that attackers could easily get the results of their commands. The attackers also added a new global user to Serv-U, successfully adding themselves as the Serv-U administrator by manually creating a specially configured .archive file in the Global Users directory. Serv-U user information was stored in this file.

Due to the peculiarities of writing the exploit code, after the Serv-U process was compromised, an exception was thrown and added to the DebugSocketLog.txt log file. After running a malicious command, the process could also crash.

In the course of studying telemetry, MSTIC specialists identified the distinctive features of the exploit, but not the very cause of the vulnerability. Their colleagues at Microsoft Offensive Security Research ran a dynamic analysis of the Serv-U code and identified the cause of the problem, after which they notified SolarWinds, which released a fix shortly thereafter.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply