Microsoft: Chinese threat actor exploited SolarWinds zero-day

A recently disclosed SolarWinds Serv-U zero-day vulnerability is apparently being exploited by a Chinese threat actor designated "DEV-0322" by Microsoft, which published a blog about the exploitation Tuesday.

The flaw, CVE-2021-35211, was originally disclosed by SolarWinds on July 9. It's a remote code execution vulnerability impacting SolarWinds' Serv-U Managed File Transfer Server and Serv-U Secured FTP IT management products. The vulnerability has received two hotfixes to date, according to SolarWinds' security advisory.

Although SolarWinds said in last week's disclosure that the vulnerability was under attack, Microsoft's blog post added more context to who those exploiting the bug are. Microsoft attributes the exploitation, which is being done "in limited and targeted attacks," with high confidence to a China-based threat actor the company identified as DEV-0322.

According to Microsoft, DEV-0322 has been "targeting entities in the U.S. Defense Industrial Base Sector and software companies," though the post stopped short of saying why, whether those targeted in the SolarWinds attacks had U.S. defense affiliations, or whether the group was operating on behalf of the government.

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," the post read.

The blog post includes specifics on technical attack details and detection guidance. Specifically, Microsoft noted the vulnerability involves Serv-U's implementation of SSH. "If Serv-U's SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data," the blog post stated. "We strongly urge all customers to update their instances of Serv-U to the latest available version."

SolarWinds included a link to the blog post on its security advisory for the vulnerability.

In the FAQ released on the advisory page, SolarWinds said that while Microsoft provided evidence of customer impact, SolarWinds "does not currently have an estimate of how many customers may be directly affected by the vulnerability" and that "SolarWinds is unaware of the identity of the potentially affected customers."

SearchSecurity asked SolarWinds whether Microsoft informed the company about the attack details and targets before Tuesday's blog was published. In response, a spokesperson offered the following statement.

"SolarWinds has been working with Microsoft, and will continue to do so for the protection of our mutual customers, as this collaboration is a great example of software vendors and the research community working together for the benefit of our customers and their security," the statement read.

Microsoft declined SearchSecurity's request for comment.

CVE-2021-35211 and its exploitation marks SolarWinds first potentially major security event since the massive supply attack disclosed in December that impacted thousands of organizations, including departments in the U.S. government. During that attack, Russian state-sponsored threat actors breached the software vendor's network and crafted malicious software updates for SolarWinds' Orion platform, which were sent out to thousands of customers.

Alexander Culafi is a writer, journalist and podcaster based in Boston.