Microsoft has attributed a new attack on SolarWinds to a group operating in China.
The software giant Tuesday posted details of the attack, which SolarWinds corrected on Monday and revealed as a return-oriented programming attack that targets its Serv-U managed file transfer product and allows an attacker to execute arbitrary code with privileges, install programs and modify data on hacked targets.
SolarWinds moved quickly to release the patch, but both Microsoft and Microsoft requested a quick application because an actor actively exploiting the vulnerability had already been identified.
Microsoft’s Threat Intelligence Center said today that it had “great confidence” that the actor was “DEV-0322, a group operating out of China, based on observed victimology, tactics and procedures.” . DEV-0322 is Microsoft’s name for the attacker.
Microsoft says it has seen the group “target entities in the US defense industry base and software companies.”
“This business group is based in China and has been observed using commercial VPN solutions and consumer routers compromised in their attacker infrastructure. “
The mention of consumer routers is notable, as vendors of such devices are often unnecessarily relaxed about security and rarely make their machines easy to upgrade or advise when an update is needed. ISPs, who often provide such devices to users, also rarely offer update advice.
Attributing the attack to an actor in China is also notable, as the United States and the Middle Empire have a formal anti-piracy pact that prohibits either nation from knowingly leading or supporting any efforts. to hack systems in order to steal intellectual property for commercial purposes.
This pact would have seen a decrease in attacks from Chinese sources against American targets, but in 2018 the United States declared that China had violated the pact.
Microsoft’s post also details how it spotted the attack, which was revealed to spawn an “abnormal malicious process … from the Serv-U process, suggesting it had been compromised.”
“We observed that DEV-0322 routed the output of its cmd.exe commands to files in the Serv-U Client Common folder, which is accessible from the Internet by default, so that attackers can retrieve the results of commands, ”adds the post from Microsoft.
DEV-0322 would then add a new global user to Serv-U, thus becoming an administrator.
Microsoft says its Defender 365 product is now able to detect the attack, but has requested the urgent application of the SolarWinds patch. ®