Our readers may recall that SolarWinds, VMWare, and Microsoft were targeted in a supply chain attack late last year. The scale of the cyberattack spanned across the United States' federal departments, the UK, the European Parliament, and thousands of other organizations. Attackers were even able to access private emails and documents of some companies. Now, Microsoft has published an advisory about yet another 0-day exploit targeting SolarWinds software.
This time, attackers are utilizing a remote code execution exploit on SolarWinds' Serv-U Managed File Transfer and Secured FTP software in the U.S. Microsoft says that it detected the attack and privately reported it to SolarWinds. The firm then deployed a hotfix to patch the issue last week. The exploit allows attackers to use Serv-U's SSH endpoint exposed to the internet to deploy malicious payloads, execute code remotely, and also read and edit data that they get access to.
Based on attack patterns and strategies, Microsoft believes that the cyberattack is being orchestrated by a relatively obscure Chinese group currently dubbed "DEV-0322". Their malicious attempts currently target software firms and the U.S. Defense Industrial Base Sector.
Microsoft says that it discovered exploitation activity during its routine reviews of Microsoft Defender 365 telemetry. The Microsoft Threat Intelligence Center (MSTIC) then joined forces with the Microsoft Offensive Security Research team, which performed a full-fledged investigation of the root cause of the vulnerability. This was then privately reported to SolarWinds who built and deployed a patch while Microsoft's teams worked to inform affected customers and develop safeguards to crack down on this malicious activity.
If you use the affected SolarWinds software, it is recommended that you view Microsoft's detailed guidance about Indicators of Compromise (IoCs) and attack signatures here, utilize Microsoft 365 Defender, and visit SolarWinds website here for information about upgrade paths to deploy the hotfix.