Microsoft names Chinese group as source of new attack on SolarWinds

Bad actor likes to work through insecure consumer routers and has form attacking tech companies and military targets


Microsoft has attributed a new attack on SolarWinds to a group operating in China.

The software giant on Tuesday posted details of the attack, which SolarWinds on Monday patched and revealed as a Return Oriented Programming attack that targets its Serv-U managed file transfer product and allows an attacker to run arbitrary code with privileges, install programs and alter data on cracked targets.

SolarWinds acted promptly to issue the patch, however it and Microsoft both urged swift application because an actor actively exploiting the flaw had already been identified.

Microsoft’s Threat Intelligence Center today stated it has “high confidence” that actor is “DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures”. DEV-0322 is Microsoft’s name for the attacker.

Microsoft says it’s seen the group “targeting entities in the US Defense Industrial Base Sector and software companies.

“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”

The mention of consumer routers is notable, as vendors of such devices are often unhelpfully relaxed about security and seldom make their machines easy to upgrade or advise when an update is necessary. ISPs, which often provide such devices to users, also seldom offer update advice.

Attributing the attack to an actor in China is also notable, as the USA and the Middle Kingdom have a formal No-Hack Pact that prohibits either nation from conducting, or knowingly supporting, efforts to crack systems to steal intellectual property for commercial advantage.

That pact reportedly saw China-sourced attacks on US targets decrease, but in 2018 the USA said China had breached the pact.

Microsoft’s post also details how it spotted the attack, which gave itself away by spawning an “anomalous malicious process … from the Serv-U process, suggesting that it had been compromised.

“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands,” Microsoft’s post adds.

DEV-0322 would then add a new global user to Serv-U, making itself an admin.

Microsoft says its Defender 365 product is now able to detect the attack, but urged urgent application of SolarWinds’ patch. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021