Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit
Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.
The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U’s implementation of the Secure Shell (SSH) protocol. If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.
Microsoft 365 Defender has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker’s follow-on malicious actions. Microsoft Threat Experts customers who were affected were notified of attacker activity and were aided in responding to the attack.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25416369/STK473_NET_NEUTRALITY_CVIRGINIA_A.jpg)
