China-based hackers are actively targeting US defense and software companies by exploiting a flaw in the SolarWinds’ Serv-U FTP server. The hackers are able to remotely take over a system with the exploit.
Yesterday, Solarwinds released a security update that fixes this new zero-day flaw in the Serv-U FTP servers that allows remote code execution.
This issue was disclosed by Microsoft, which detected a threat actor who was actively exploiting it to execute arbitrary commands on vulnerable devices. Microsoft said with high confidence that the attacks were traced to a China-based threat group known as DEV-0322.
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” says a new blog post by the Microsoft Threat Intelligence Center.
This threat group aims to Serv-U FTP expose servers of entities in the US defense industrial base (DIB) sector and software companies.
“The DIB Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements,” explains a document by the CISA.
Microsoft says it first learned about the attacks after detecting anomalous processes in their 365 Security Defender telemetry for an otherwise harmless Serv-U process.
“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands,” Microsoft explains in their blog post.
Using other commands attackers could add a new administrator user to the server configuration or launch scripts that would allow remote access to the device.
If you suspect you device might have been compromised, Microsoft advises that you check the Serv-U DebugSocketLog.txt file looking for exception messages to see if your devices were affected. A “C0000005; CSUSSHSocket::ProcessReceive” exception could indicate that a threat actor tried to exploit a server.
Other signs that a device was compromised include: recently created .txt files in the clientcommon folder, unrecognized global users found in the Serv-U configuration, and others.