In July 2021, SolarWinds developers patched the RCE vulnerability (CVE-2021-35211) in Serv-U and warned that hackers were already exploiting this problem. The bug was discovered by Microsoft experts, as well as targeted attacks on unnamed SolarWinds customers. However, then experts did not report any data on the attacks themselves.
Now Microsoft has finally shared the details of what happened. The company said that the exploitation of the 0-day vulnerability was the work of a new Chinese hack group, which was assigned the ID DEV-0322.
The hackers reportedly attacked SolarWinds Serv-U servers by “connecting to an open SSH port and sending a malformed pre-auth request.” This allowed DEV-0322 operators to run malicious code on the target system and hijack vulnerable devices.
Unfortunately, the OS vendor still does not report anything about the goals and objectives of the identified attackers. It is unclear whether the hackers engaged in cyber espionage and intelligence gathering or pursued financial gain.
Microsoft also delved into the technical details of the CVE-2021-35211 vulnerability itself. The researchers emphasized that one of the reasons for the success of the attacks was that some of the Serv-U binaries were not protected by ASLR. And since there was no protection, exploiting the bug in Serv-U turned out to be “not that difficult.”
Catch up on more stories here
Follow us on Facebook here