Newly fixed RCE vulnerability in Serv-U attacked by Chinese hack group DEV-0322

Earlier this week, SolarWinds developers patched an RCE vulnerability (CVE-2021-35211) in Serv-U and warned that hackers were already exploiting the problem. According to the company, the vulnerability was exploited by only one attacker in attacks aimed at a limited number of victims.

This vulnerability only affects Serv-U Managed File Transfer and Serv-U Secure FTP. All Serv-U versions up to the updated 15.2.3 HF2, released a few days ago and containing a fix, are considered vulnerable.

The bug was originally discovered by Microsoft, as well as targeted attacks on unnamed SolarWinds customers, and the company now has shared details of its find.

Microsoft experts said that the vulnerability in Serv-U is exploited by Chinese hackers, using it to attack defense and software companies in the United States. The company tracks this hack group under the ID DEV-0322.

It is reported that the threat was discovered due to the fact that Defender began to notice malicious processes generated by the main application Serv-U, which ultimately led to an investigation of what was happening and the detection of attacks on a zero-day vulnerability.

Microsoft says Serv-U users can test their devices for compromise by looking at the Serv-U log file (DebugSocketLog.txt) and searching for exception messages. In particular, “C0000005; CSUSSHSocket :: ProcessReceive ”may indicate that attackers tried to hack Serv-U, although the exception may be displayed for other reasons as well.

Other signs of compromise were named:

• recently created .txt files in the Client\Common\folder;
• Serv-U spawns processes for mshta.exe, powershell.exe, cmd.exe and processes launched from C:\Windows\temp;
• unrecognized global users in Serv-U configuration.

Unfortunately, according to Censys, there are currently over 8,200 SolarWinds Serv-U systems available on the network with an open SSH port, and the number has remained unchanged since last week when the patches were released.

Let me remind you that we wrote that SolarWinds Attack Gives Hackers Access to Trump Administration Officials Accounts, as well as that IS experts gained access to the servers of hackers who attacked SolarWinds.