A popular file transfer service known as Serv-U managed by SolarWinds was attacked and exploited by cybercriminals last month. According to Microsoft, the attackers were based in China.
The campaign was detected in July and exploited a code execution issue (CVE-2021-35211) in the deployment of Serv-U’s Secure Shell (SSH) protocol. The flaw allowed hackers to run arbitrary code, load malicious code libraries, and steal, modify, and delete confidential information.
The attack has been linked to a Chinese hacking group named DEV-0322, believed to be part of a larger hacking group called DEV. The group is still in its development stage; hence each hacking group is named using a unique serial code for identification and distinction purposes.
DEV-0322 is a group of hackers that has been attacking US-based tech companies and defense contractors. These Chinese hackers use commercial VPN tools and compromised consumer routers to infiltrate networks.
In addition, Microsoft has also released guidelines to help admins identify if their network has been infected by a remote attacker. They advised businesses to check their Serv-U DebugSocketLog.txt log file and look for exception messages like: A C0000005; CSUSSHSocket::ProcessReceive.
Usually, an exception message appears after a successful cyber attack. However, it can also be unexpectedly triggered by a non-attack scenario. In such cases, Microsoft advises organizations to check their logs for suspicious behavior.
Since the number of servers at risk is still high, customers of SolarWinds are advised to install the available patches and disable the SSH access to their servers.