Microsoft has attributed a new attack on SolarWinds to a group operating in China.
The software giant on Tuesday posted details of the attack, which SolarWinds on Monday patched and revealed as a Return Oriented Programming attack that targets its Serv-U managed file transfer product and allows an attacker to run arbitrary code with privileges, install programs and alter data on cracked targets.
SolarWinds acted promptly to issue the patch, however it and Microsoft both urged swift application because an actor actively exploiting the flaw had already been identified.
Microsoft’s Threat Intelligence Center today stated it has “high confidence” that actor is “DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures”. DEV-0322 is Microsoft’s name for the attacker.
Microsoft says it’s seen the group “targeting entities in the US Defense Industrial Base Sector and software companies.
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”
- Mega-distie SYNNEX attacked and Microsoft cloud accounts it tends tampered
- SolarWinds backdoor gang pwns Microsoft support agent to turn sights on customers
- SEC still digging into SolarWinds fallout, nudges undeclared victims
- Security researcher says attacks on Russian government have Chinese fingerprints – and typos, too
The mention of consumer routers is notable, as vendors of such devices are often unhelpfully relaxed about security and seldom make their machines easy to upgrade or advise when an update is necessary. ISPs, which often provide such devices to users, also seldom offer update advice.
Attributing the attack to an actor in China is also notable, as the USA and the Middle Kingdom have a formal No-Hack Pact that prohibits either nation from conducting, or knowingly supporting, efforts to crack systems to steal intellectual property for commercial advantage.
That pact reportedly saw China-sourced attacks on US targets decrease, but in 2018 the USA said China had breached the pact.
Microsoft’s post also details how it spotted the attack, which gave itself away by spawning an “anomalous malicious process … from the Serv-U process, suggesting that it had been compromised.
“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands,” Microsoft’s post adds.
DEV-0322 would then add a new global user to Serv-U, making itself an admin.
Microsoft says its Defender 365 product is now able to detect the attack, but urged urgent application of SolarWinds’ patch. ®