A few weeks ago, experts identified a severe zero-day remote code execution exploit aimed at SolarWinds Serv-U FTP software. Researchers have now disclosed details about the attacker.
Recently, Microsoft linked a limited and highly targeted attack on SolarWinds with a Chinese threat actor – DEV-0322. It begins abusing Serv-U servers by connecting to the open SSH port and then, sends a malicious pre-auth connection request to run its malicious code and take control of exposed devices. Some Serv-U binaries were not protected by the ASLR (Address Space Layout Randomization) feature, thus allowing attackers to exploit them. Microsoft did not provide information regarding post-infiltration activities of the actor, such as cyberespionage, intelligence collection, or cryptomining. But, it provided technical details regarding the zero-day flaw exploitation by the attackers. The flaw, whose patch is out now, was tracked as CVE-2021-35211.
For more Information: Click Here