Microsoft said it discovered a damaging zero-day vulnerability affecting SolarWinds software, and they have evidence a hacking group tied to China has been actively exploiting it in the wild.
The flaw, which Microsoft said it discovered in Microsoft 365 Defender telemetry during a “routine” investigation, impacts SolarWinds Serv-U file transfer software and attacks weaknesses in the way it implements the Secure Shell protocol, a cryptographic method for authenticating remote login from one computer to another. If left exposed to the internet, an attacker exploiting the bug could gain remote code execution privileges.
A notice for the vulnerability was originally posted by SolarWinds on July 9, and the company said it affects Serv-U version 15.2.3 HF1 as well as all prior versions. A hot fix update was made available addressing the flaw and SolarWinds strongly advised customers to patch as soon as possible. In updates July 10 and 13, they clarified that only Serv-U’s Managed File Transfer and Secure FTP software for Windows was affected. Linux versions of the software are not vulnerable, nor are other SolarWinds or N-Able (its managed service provider wing that was recently spun off).
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said, adding “SolarWinds is unaware of the identity of the potentially affected customers.”
Microsoft said they have “high confidence” that the flaw is being actively used by a threat group based in China they’re calling DEV-0322. During the investigation, they discovered an “anomalous, malicious process” that allowed the attacker to add themselves as a global administrator for affected versions of the software.
Microsoft “has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”
If Microsoft’s attribution is correct and if the threat group used the vulnerability to target defense contractors, it would be the latest in a long line of attacks against the U.S. defense industrial base from Chinese hackers. Such attacks are usually espionage-related and target what’s known as CUI – or controlled unclassified information – stored by many contractors. While not technically classified, the government considers this kind of data a form of protected information that still holds valuable information about U.S. military capabilities.
The sheer volume of attacks on this sector from China over the past decade has put the sector on a permanent defensive footing, outraged members of Congress, spurred the Pentagon to warn that it is “materially eroding” U.S. military supremacy and led to a new mandatory security certification regime for companies that contract with the military.
It also represents another security black eye for SolarWinds, which is already being sued by its shareholders in a class-action lawsuit over accusations of shoddy security culture and practices that led to a massive supply chain breach of their Orion software. However, while that hack ultimately led to the compromise of dozens of companies and 10 federal agencies who used Orion, Microsoft has emphasized that their observations indicate that exploitation of Serv-U’s vulnerability appears to be “limited and targeted” at this time.
Microsoft released indicators of compromise, detection guidance for Window Defender, and endpoint detection and response alerts to assist organizations. SolarWinds also released indicators of compromise and on July 13 released a step-by-step guide to help determine if your software is compromised.