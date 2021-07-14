



Microsoft attributed the new attack on SolarWinds to a group operating in China.

The software giant on Tuesday posted details of the attack. SolarWinds will patch on Monday to target Serv-U managed file transfer products, allowing attackers to use privileges to execute arbitrary code, install programs, and modify data in a Return Oriented Programming attack. Revealed as. For cracked targets.

SolarWinds acted swiftly to publish the patch, but both SolarWinds and Microsoft demanded a swift application because an attacker who was actively exploiting the flaw had already been identified.

Microsoft’s Threat Intelligence Center said today that it is confident that the attackers are DEV-0322, a group operating in China, based on victimology, tactics and procedures. DEV-0322 is the name of the attacker Microsoft.

Microsoft says it saw a group targeting the US defense industry base sector and software company entities.

The activity group is based in China and has been identified using commercial VPN solutions and compromised consumer routers in the attacker’s infrastructure.

The mention of consumer routers is noteworthy. Vendors of such devices are often uselessly relaxed about security and rarely facilitate advice when a machine needs to be upgraded or updated. Even ISPs that often provide such devices to their users rarely offer update advice.

The U.S. and the Middle Kingdom are attacking because they have a formal no-hack agreement that prohibits them from implementing or deliberately supporting efforts to crack systems for stealing intellectual property for commercial gain. It is also worth noting that it is attributed to Chinese actors.

The agreement reportedly reduced China’s attacks on US targets, but in 2018 the US said China violated the agreement.

A Microsoft post also details how the attack was discovered by spawning an anomalous malicious process from the Serv-U process, suggesting that it was compromised.

I have verified that DEV-0322 pipes the output of the cmd.exe command to a file in the Serv-U Client Common folder. This is to allow an attacker to get the result of the command. The post will be added.

DEV-0322 then adds a new global user to Serv-U, making itself an administrator.

Microsoft said the Defender 365 product is now able to detect attacks, but has urged the urgent application of the SolarWinds patch.

