Microsoft links Serv-U zero-day attacks to Chinese hacking group
Image: Markus Winkler, The Record
Catalin Cimpanu July 13, 2021

Microsoft links Serv-U zero-day attacks to Chinese hacking group

Microsoft links Serv-U zero-day attacks to Chinese hacking group

Microsoft said today that the recent wave of attacks that have targeted SolarWinds file transfer servers are the work of a Chinese hacking group the company has been tracking under the name of DEV-0322.

News of the attacks first surfaced on Friday, July 9, when embattled software provider SolarWinds released a security update to patch a zero-day vulnerability in its Serv-U technology that was being exploited in the wild.

At the time, SolarWinds said it learned of the zero-day (CVE-2021-35211) and the ongoing attacks from Microsoft but did not release any additional details beyond the Serv-U patch (v15.2.3 HF2).

Initially, Microsoft declined to comment following the SolarWinds patch in emails sent by The Record.

However, following pressure from the cyber-security community on Tuesday, which kept asking the OS maker for additional details so they could deploy countermeasures to detect and block ongoing attacks, Microsoft published a blog post today with an in-depth description of the zero-day’s entire exploitation chain.

According to the report, Microsoft said it discovered the DEV-0322 attacks after its Defender antivirus began detecting malicious processes spawning from Serv-U’s main application, which eventually led its security team to investigate and discover the zero-day and the ongoing attacks.

DEV-0322 previously targeted the US Defense Industrial Base

While Microsoft couldn’t comment on the targets of this most recent campaign, the OS maker said that past DEV-0322 attacks had targeted software companies and entities in the US Defense Industrial Base Sector.

These attacks also mark the second time that a Chinese hacking group has abused SolarWinds software to breach corporate and government networks.

Back in December 2020, while the Russian-orchestrated SolarWinds supply chain attack was coming to light, Chinese hacking groups were also busy abusing the CVE-2020-10148 vulnerability to install web shells on SolarWinds Orion IT monitoring platforms.

Because the CVE-2020-10148 came to light during the more broad supply chain investigation, it took security firms some time to separate the two incidents and eventually make the connection to a Chinese group tracked as Spiral.

All in all, companies that run SolarWinds Serv-U file transfer servers can protect themselves against DEV-022 attacks by either installing the company’s patch or by disabling SSH access to the server, which is how the group is compromising servers.

According to a Censys search query, there are more than 8,200 SolarWinds Serv-U systems exposing their SSH port online, a number that had remained steady since last week, when the patches were released.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.