Security News > 2021 > September > Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack

Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "High confidence" to a threat actor operating out of China.
"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit.
"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported," the researchers added.
While Microsoft linked the attacks to DEV-0322, a China-based collective citing "Observed victimology, tactics, and procedures," the company has now revealed that the remote, pre-auth vulnerability stemmed from the manner the Serv-U process handled access violations without terminating the process, thereby making it simple to pull off stealthy, reliable exploitation attempts.
"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization loaded by the Serv-U process to facilitate exploitation," the researchers added.
Microsoft, which disclosed the attack to SolarWinds, said it recommended enabling ASLR compatibility for all binaries loaded in the Serv-U process.
News URL
Related news
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- US charges Chinese hackers linked to critical infrastructure breaches (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)