Earlier this week, SolarWinds developers patched an RCE vulnerability (CVE-2021-35211) in Serv-U and warned that hackers were already exploiting the problem. According to the company, the vulnerability was exploited by only one attacker in attacks aimed at a limited number of victims.
This vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP. All Serv-U versions up to the updated 15.2.3 HF2, released a few days ago and containing a fix, are considered vulnerable.
The bug was originally discovered by Microsoft specialists, as well as targeted attacks on unnamed SolarWinds customers, and now the company has shared details about its find.
Microsoft experts said that the vulnerability in Serv-U is exploited by Chinese hackers, using it to attack defense and software companies in the United States. The company tracks this hack group under the ID DEV-0322.
It is reported that the threat was discovered due to the fact that Defender began to notice malicious processes generated by the main application Serv-U, which ultimately led to an investigation of what was happening and the detection of attacks on a zero-day vulnerability.
“The activity of this group comes from China, we watched as [attackers] use commercial VPN solutions and hacked consumer routers in their infrastructure,” – the experts write.
Microsoft says Serv-U users can test their devices for compromise by looking at the Serv-U log file (DebugSocketLog.txt) and searching for exception messages. In particular, “C0000005; CSUSSHSocket :: ProcessReceive ”may indicate that attackers tried to hack Serv-U, although the exception may be displayed for other reasons as well.
Other signs of compromise were named:
- newly created .txt files in the Client \ Common \ folder;
- Serv-U spawns processes for mshta.exe, powershell.exe, cmd.exe and processes launched from C: \ Windows \ temp;
- unrecognized global users in Serv-U configuration.
Unfortunately, according to Censys , there are currently over 8,200 SolarWinds Serv-U systems with an open SSH port available on the network, and the number has remained unchanged since last week when the patches were released.