[TheRecord] Chinese hackers behind July 2021 SolarWinds zero-day attacks

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild.

At the time, SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft’s security team.

In a blog post on Thursday, Microsoft revealed more details about the July attacks.

The company said the zero-day was the work of a new threat actor the company was tracking as DEV-0322, which Microsoft described as “a group operating out of China, based on observed victimology, tactics, and procedures.”

Microsoft said the group targeted SolarWinds Serv-U servers “by connecting to the open SSH port and sending a malformed pre-auth connection request,” which allowed DEV-0322 operators to run malicious code on the targeted system and take over vulnerable devices.

The OS maker did not go into details about what the intruders did once they breached a target. It is unclear if the hackers were interested in cyber-espionage and intelligence collection or if DEV-0322 was a run-of-the-mill crypto-mining gang.

Zero-day root cause: No ASLR

On the other hand, Microsoft delved into the technical aspects of the zero-day itself, tracked as CVE-2021-35211.

Microsoft said that one of the reasons the attacks succeeded was because some of the Serv-U binaries had not been protected by ASLR (Address Space Layout Randomization), a feature that randomizes the memory location of an application in order to prevent attackers from targeting specific memory sections and corrupt an app’s memory.

As ASLR protection was missing, Microsoft said that exploiting the Serv-U zero-day was “not so complicated.”

“Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista,” Microsoft engineers said.

Chinese hackers exploited SolarWinds products before

After news of the major SolarWinds supply-chain attack broke last year, an attack carried out by Russian cyber-espionage teams linked to the SVR intelligence service, the subsequent investigation found unrelated SolarWinds vulnerabilities that were also exploited by Chinese hackers.

US security firm Secureworks, which discovered these attacks, codenamed the Chinese group as Spiral.

Per Secureworks, in the attacks detected at the end of 2020 and start of 2021, Spiral exploited a SolarWinds zero-day in the Orion IT monitoring platform tracked as CVE-2020-10148.

The post Chinese hackers behind July 2021 SolarWinds zero-day attacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[NCSC-FI News]  Researchers Takeover Unpatched 3rd-Party Antivirus Sandboxes via VirusTotal

Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines. Source: Read More (NCSC-FI daily news followup)

Read More

[SecurityWeek] Settlement Curbs Firm’s Facial Recognition Database in US

All posts, Security Week

Startup Clearview AI has agreed to limit access to its controversial facial recognition database in the United States, settling a lawsuit filed by privacy advocates, a court filing showed Monday. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ThreatPost] High-Severity RCE Bug Found in Popular Apache Cassandra Database

All posts, ThreatPost

On the plus side, only instances with non-standard not recommended configurations are vulnerable. On the downside, those configurations aren’t easy to track down, and it’s easy as pie to exploit. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.