Chinese hackers exploit new zero-day in SolarWinds software

Microsoft's Threat Intelligence Centre has found a new zero-day vulnerability in SolarWinds software, which is currently being exploited by a Chinese hacking group.

SolarWinds network monitoring software was in the headlines at the end of last year and throughout the first half of 2021 after a software update was compromised and used to hack around 18,000 customers worldwide, including US government agencies.

The present vulnerability involves the SolarWinds Serv-U file transfer protocol software and its implementation of the Secure Shell (SSH) encrypted transfer protocol.

"If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers [the] ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data," MSTIC said.

The bug is currently being exploited by a group MSTIC calls DEV-0322.

Microsoft said it has observed the threat actor running commands on compromised systems, and piping the output from them to the internet accessible \Client\Common folder in the SolarWinds Serv-U directory.

The threat actors have also added themselves as a Serv-U administrator on compromised systems.

SolarWinds has patched the vulnerability and customers are urged to update their Serv-U software as soon as possible.

It is possible to find traces of attacks in the Serv-U DebugSocketLog.txt log file, if exeception error messages appear in it.