threat actor China APT panda

Microsoft links Serv-U zero-day attacks to Chinese hacking group

Microsoft said today that the recent wave of attacks that have targeted SolarWinds file transfer servers are the work of a Chinese hacking group the company has been tracking under the name of DEV-0322.

News of the attacks first surfaced on Friday, July 9, when embattled software provider SolarWinds released a security update to patch a zero-day vulnerability in its Serv-U technology that was being exploited in the wild.

At the time, SolarWinds said it learned of the zero-day (CVE-2021-35211) and the ongoing attacks from Microsoft but did not release any additional details beyond the Serv-U patch (v15.2.3 HF2).

Initially, Microsoft declined to comment following the SolarWinds patch in emails sent by The Record.

However, following pressure from the cyber-security community on Tuesday, which kept asking the OS maker for additional details so they could deploy countermeasures to detect and block ongoing attacks, Microsoft published a blog post today with an in-depth description of the zero-day's entire exploitation chain.

According to the report, Microsoft said it discovered the DEV-0322 attacks after its Defender antivirus began detecting malicious processes spawning from Serv-U's main application, which eventually led its security team to investigate and discover the zero-day and the ongoing attacks.

DEV-0322 previously targeted the US Defense Industrial Base

While Microsoft couldn't comment on the targets of this most recent campaign, the OS maker said that past DEV-0322 attacks had targeted software companies and entities in the US Defense Industrial Base Sector.

These attacks also mark the second time that a Chinese hacking group has abused SolarWinds software to breach corporate and government networks.

Back in December 2020, while the Russian-orchestrated SolarWinds supply chain attack was coming to light, Chinese hacking groups were also busy abusing the CVE-2020-10148 vulnerability to install web shells on SolarWinds Orion IT monitoring platforms.

Because the CVE-2020-10148 came to light during the more broad supply chain investigation, it took security firms some time to separate the two incidents and eventually make the connection to a Chinese group tracked as Spiral.

All in all, companies that run SolarWinds Serv-U file transfer servers can protect themselves against DEV-022 attacks by either installing the company's patch or by disabling SSH access to the server, which is how the group is compromising servers.

According to a Censys search query, there are more than 8,200 SolarWinds Serv-U systems exposing their SSH port online, a number that had remained steady since last week, when the patches were released.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.