Articles Recently fixed issue in Serv-U was attacked by Chinese...

Recently fixed issue in Serv-U was attacked by Chinese hack group DEV-0322


Earlier this week, SolarWinds developers  patched an RCE vulnerability (CVE-2021-35211) in Serv-U and warned that hackers were already exploiting the problem. According to the company, the vulnerability was exploited by only one attacker in attacks aimed at a limited number of victims.

This vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP. All Serv-U versions up to the updated 15.2.3 HF2, released a few days ago and containing a fix, are considered vulnerable.

The bug was originally discovered by Microsoft specialists, as well as targeted attacks on unnamed SolarWinds customers, and now the company has shared details about its find.

Microsoft experts said that the vulnerability in Serv-U is exploited by Chinese hackers, using it to attack defense and software companies in the United States. The company tracks this hack group under the ID DEV-0322.

It is reported that the threat was discovered due to the fact that Defender began to notice malicious processes generated by the main application Serv-U, which ultimately led to an investigation of what was happening and the detection of attacks on a zero-day vulnerability.

“The activity of this group comes from China, we watched as [attackers] use commercial VPN solutions and hacked consumer routers in their infrastructure,” – the experts write.

Microsoft says Serv-U users can test their devices for compromise by looking at the Serv-U log file (DebugSocketLog.txt) and searching for exception messages. In particular, “C0000005; CSUSSHSocket :: ProcessReceive ”may indicate that attackers tried to hack Serv-U, although the exception may be displayed for other reasons as well.

Other signs of compromise were named:

  • newly created .txt files in the Client \ Common \ folder;
  • Serv-U spawns processes for mshta.exe, powershell.exe, cmd.exe and processes launched from C: \ Windows \ temp;
  • unrecognized global users in Serv-U configuration.

Unfortunately, according to Censys , there are currently over 8,200 SolarWinds Serv-U systems with an open SSH port available on the network, and the number has remained unchanged since last week when the patches were released.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you