[TheRecord] Chinese hackers behind July 2021 SolarWinds zero-day attacks

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild.

At the time, SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft’s security team.

In a blog post on Thursday, Microsoft revealed more details about the July attacks.

The company said the zero-day was the work of a new threat actor the company was tracking as DEV-0322, which Microsoft described as “a group operating out of China, based on observed victimology, tactics, and procedures.”

Microsoft said the group targeted SolarWinds Serv-U servers “by connecting to the open SSH port and sending a malformed pre-auth connection request,” which allowed DEV-0322 operators to run malicious code on the targeted system and take over vulnerable devices.

The OS maker did not go into details about what the intruders did once they breached a target. It is unclear if the hackers were interested in cyber-espionage and intelligence collection or if DEV-0322 was a run-of-the-mill crypto-mining gang.

Zero-day root cause: No ASLR

On the other hand, Microsoft delved into the technical aspects of the zero-day itself, tracked as CVE-2021-35211.

Microsoft said that one of the reasons the attacks succeeded was because some of the Serv-U binaries had not been protected by ASLR (Address Space Layout Randomization), a feature that randomizes the memory location of an application in order to prevent attackers from targeting specific memory sections and corrupt an app’s memory.

As ASLR protection was missing, Microsoft said that exploiting the Serv-U zero-day was “not so complicated.”

“Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista,” Microsoft engineers said.

Chinese hackers exploited SolarWinds products before

After news of the major SolarWinds supply-chain attack broke last year, an attack carried out by Russian cyber-espionage teams linked to the SVR intelligence service, the subsequent investigation found unrelated SolarWinds vulnerabilities that were also exploited by Chinese hackers.

US security firm Secureworks, which discovered these attacks, codenamed the Chinese group as Spiral.

Per Secureworks, in the attacks detected at the end of 2020 and start of 2021, Spiral exploited a SolarWinds zero-day in the Orion IT monitoring platform tracked as CVE-2020-10148.

The post Chinese hackers behind July 2021 SolarWinds zero-day attacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-01-13

Citrix ADC Exploits: Overview of Observed Payloads isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ Now that there are public exploits for Citrix ADC, we are seeing many attacks and are observing various payloads. For the moment, after normalization, we observed 37 different payloads Who else works for this cover company network? intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ In our previous articles we identified a network of […]

Read More

[ThreatPost] Android Malware ‘FlyTrap’ Hijacks Facebook Accounts

All posts, ThreatPost

Coupon codes for Netlifx or Google AdWords? Voting for the best football team? Beware: Malicious apps offering such come-ons could inflict a new trojan. Source: Read More (Threatpost)

Read More

[ThreatPost] Ransomware Going for $4K on the Cyber-Underground

All posts, ThreatPost

An analysis of three popular forums used by ransomware operators reveals a complex ecosystem with many partnerships. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.