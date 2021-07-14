Microsoft said on Tuesday it recently discovered a 0-day remote code execution (RCE) exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The RCE vulnerability was detected in Microsoft 365 Defender telemetry during a routine investigation.

The Microsoft Threat Intelligence Center (MSTIC) has attributed this campaign with high confidence to DEV-0322, a group operating out of China.

"MSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," Microsoft wrote in a blog post on Tuesday.

MSTIC and the Microsoft Offensive Security Research team worked closely to find the root cause and once it was found, they reported the vulnerability to SolarWinds. In response, the vulnerability, CVE-2021-35211 - was quickly patched by SolarWinds.

"The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U's implementation of the Secure Shell (SSH) protocol. If Serv-U's SSH is exposed to the internet, successful exploitation would give attackers the ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version," MSTIC explained.

In an updated advisory, SolarWinds said on Tuesday that only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows are affected by this vulnerability, adding that Serv-U Gateway is a component of these two products and is not a separate product.

Further, SolarWinds noted that the Linux versions of these products are not vulnerable to a RCE exploit of this security vulnerability. The Linux version of the Serv-U product crashes when the exploit is attempted by a threat actor.