News

Newly fixed RCE vulnerability in Serv-U attacked by Chinese hack group DEV-0322

Photo of Daniel Zimmermann Daniel ZimmermannJuly 14, 2021
0 88 1 minute read

Earlier this week, SolarWinds developers patched an RCE vulnerability (CVE-2021-35211) in Serv-U and warned that hackers were already exploiting the problem. According to the company, the vulnerability was exploited by only one attacker in attacks aimed at a limited number of victims.

This vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP. All Serv-U versions up to the updated 15.2.3 HF2, released a few days ago and containing a fix, are considered vulnerable.

The bug was originally discovered by Microsoft, as well as targeted attacks on unnamed SolarWinds customers, and the company now has shared details of its find.

Microsoft experts said that the vulnerability in Serv-U is exploited by Chinese hackers, using it to attack defense and software companies in the United States. The company tracks this hack group under the ID DEV-0322.

It is reported that the threat was discovered due to the fact that Defender began to notice malicious processes generated by the main application Serv-U, which ultimately led to an investigation of what was happening and the detection of attacks on a zero-day vulnerability.

The activity of this group comes from China, we watched as [attackers] use commercial VPN solutions and hacked consumer routers in their infrastructure.the experts write.

Microsoft says Serv-U users can test their devices for compromise by looking at the Serv-U log file (DebugSocketLog.txt) and searching for exception messages. In particular, “C0000005; CSUSSHSocket :: ProcessReceive ”may indicate that attackers tried to hack Serv-U, although the exception may be displayed for other reasons as well.

Other signs of compromise were named:

  • recently created .txt files in the Client\Common\folder;
  • Serv-U spawns processes for mshta.exe, powershell.exe, cmd.exe and processes launched from C:\Windows\temp;
  • unrecognized global users in Serv-U configuration.

Unfortunately, according to Censys, there are currently over 8,200 SolarWinds Serv-U systems available on the network with an open SSH port, and the number has remained unchanged since last week when the patches were released.

Let me remind you that we wrote that SolarWinds Attack Gives Hackers Access to Trump Administration Officials Accounts, as well as that IS experts gained access to the servers of hackers who attacked SolarWinds.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Tags
Photo of Daniel Zimmermann Daniel ZimmermannJuly 14, 2021
0 88 1 minute read
Photo of Daniel Zimmermann

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Ad dropper on google play

Researchers found on Google Play ad dropper that was downloaded more than 100 million times

August 29, 2019
Stealing Facebook users passwords

Android apps installed 5.8 million times are stealing Facebook users passwords

July 5, 2021
European Commission Google methods

Eurocommission investigates Google data collection methods

December 3, 2019
SolarWinds attacks and Chinese hackers

Chinese hackers also took part in attacks on SolarWinds clients

March 9, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | Adware.Guru;
Back to top button