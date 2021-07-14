



A recently revealed SolarWinds Serv-U zero-day vulnerability is apparently being exploited by a Chinese actor named “DEV-0322” by Microsoft, which posted a blog on the exploitation on Tuesday. The flaw, CVE-2021-35211, was originally disclosed by SolarWinds on July 9. This is a remote code execution vulnerability affecting the Serv-U Managed File Transfer Server and Serv-U Secured FTP IT management products from SolarWinds. The vulnerability has received two fixes to date, according to SolarWinds Security Advisory. Although SolarWinds said in last week’s disclosure that the vulnerability was under attack, Microsoft blog post added more context to those exploiting the bug. Microsoft attributes the exploitation, which is carried out “in limited and targeted attacks”, with great confidence to a China-based threat actor the company has identified as DEV-0322. According to Microsoft, DEV-0322 “targeted entities in the US defense industry base and software companies,” although the post did not say why, though those targeted in the SolarWinds attacks had affiliations to US defense, or whether the group was operating on behalf of the government. “This business group is based in China and has been observed using commercial VPN solutions and consumer routers compromised in their attacker infrastructure,” the post read. The blog post includes details on the technical details of the attacks and detection tips. Specifically, Microsoft noted that the vulnerability involved the implementation of SSH by Serv-U. “If Serv-U’s SSH is exposed to the Internet, successful exploitation would give attackers the ability to remotely execute arbitrary code with privileges, allowing them to perform actions such as installing and running malicious payloads, or viewing and modifying data, ”the blog said. “We strongly urge all customers to update their instances of Serv-U to the latest version available.” SolarWinds has included a link to the blog post on its security advisory for the vulnerability. In the FAQ posted on the advisory page, SolarWinds stated that although Microsoft has provided evidence of the impact on customers, SolarWinds “currently does not have an estimate of the number of customers that may be directly affected by the vulnerability. And that “SolarWinds has no knowledge of the identity of potentially affected customers.” SearchSecurity asked SolarWinds if Microsoft had informed the company of the details and targets of the attack before the blog post on Tuesday. In response, a spokesperson made the following statement. “SolarWinds has worked with Microsoft and will continue to do so for the protection of our mutual customers, as this collaboration is a great example of collaboration between software vendors and the research community for the benefit of our customers and their security,” said the statement read. Microsoft declined SearchSecurity’s request for comment. CVE-2021-35211 and its operation marks SolarWinds’ first potentially major security event since massive supply attack revealed in December which has affected thousands of organizations, including US government departments. During this attack, Russian state-sponsored threat actors entered the software vendor’s network and created malware updates for SolarWinds’ Orion platform, which were sent to thousands. of customers. Alexander Culafi is a Boston-based writer, journalist and podcaster.

