Microsoft says latest SolarWinds attack appeared to come from China

Chinese threat actors have targeted SolarWinds vulnerabilities

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers atMicrosofthave revealed that China-based threat actors were behind the recent campaign, which exploited the now-patched vulnerabilities in a couple ofSolarWindsServ-U products.

Microsoft brought this to the attention of SolarWinds who thenreleased a hotfixto patch the remote code execution (RCE) vulnerability in Serv-U’s implementation of the Secure Shell (SSH) protocol.

“Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures,” shared Microsoft in ablog post.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

Repeat offenders

Repeat offenders

Without sharing details about the targets in the latest campaign, the MSTIC blog post notes that the DEV-0322 threat group has previously targeted entities in the U.S. Defense Industrial Base sector as well as software companies.

In addition to the group using China as its base of operations, MSTIC shared that DEV-0322’s attack infrastructure is composed ofcommercial VPNsolutions and compromised consumerrouters.

It was malicious processes in Serv-U’s main application, flagged byMicrosoft Defender, which led MSTIC to discover the recent DEV-0322 SolarWinds campaign.

Notably, this isn’t the first instance if Chinese-based threat actors have been found abusing vulnerability in SolarWinds. While unraveling last year’smassive cyber-espionage campaign, blamed on state-sponsored Russian hackers, security researchers discovered a parallel hack campaign.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Digging deeper, theresearchers found evidenceof the China-based threat group known as Spiral exploiting a vulnerability in SolarWinds software called Orion as a springboard to deploy the .NET web shell dubbedSupernova, alongside the widely reported supply chain attack.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

5 must-have Android apps