Microsoft Discovers 0-Day Vulnerability Actively Exploited In SolarWinds FTP Product
Yesterday, Microsoft reported that it had detected a 0-day remote code execution exploit being used in the wild against SolarWinds’ Serv-U FTP product. The vulnerability that allowed this exploit has since been patched, but it is still disconcerting, nonetheless.
Tracked as CVE-2021-35211, the vulnerability reported to SolarWinds by Microsoft resided in Serv-U’s version of the Secure Shell (SSH) protocol, explains Microsoft’s Threat Intelligence Center (MSTIC). If Serv-U’s SSH happened to be exposed to the internet, black hat hackers could exploit the vulnerability; thus allowing for remote code execution with privileges, leading to malware installations or unwanted data access.
Microsoft found that this vulnerability was being actively exploited by a threat actor group based out of China, dubbed DEV-0322 by Microsoft. Through routine checks by Microsoft 365 Defender, an “anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised.” Then, the threat actors would run commands and create administrative users to do more malicious work.
MSTIC further observed that the group, who used VPN solutions and compromised consumer routers among their infrastructure, targeted organizations in the U.S. Defense Industrial Base sector and software companies. Thankfully, SolarWinds responded quickly to Microsoft’s discovery and has now pushed a patch that all Serv-U customers should now download. Once again, this is a stark reminder that cybersecurity is an important investment and requires continual research.