According to Microsoft, the latest series of cyberattacks targeting SolarWinds Serv-U managed file transfer service using a now-patched Remote Code Execution (RCE) exploit is the work of Chinese threat actors known as “DEV-0322,”
The news comes just days after the Texas-based IT monitoring software maker released patches for a security bug that may allow attackers to run arbitrary code with privileges, allowing them to do tasks like install and launch malicious payloads or access and edit crucial data remotely.
The RCE flaws, which has been assigned the number CVE-2021-35211, is found in Serv-implementation U’s of the Secure SHell (SSH) protocol. SolarWinds said it is “unaware of the identity of the potentially affected customers.” despite the fact that the attacks were previously reported to be limited in scope.
Microsoft Threat Intelligence Center (MSTIC) attributed the intrusions to DEV-0322 (short for “Development Group 0322”) with high confidence based on observed victimology, tactics, and procedures. Acording to MSTIC, the adversary targeted entities in the United States Defense Industrial Base Sector and software companies.
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” according to MSTIC, which discovered the zero-day after it detected as many as six anomalous malicious processes being spawned from the main Serv-U process, indicating a compromise.