Chinese Hackers Behind July 2021 SolarWinds Zero-day Attacks

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild. From a report: At the time, SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft's security team. In a blog post on Thursday, Microsoft revealed more details about the July attacks. The company said the zero-day was the work of a new threat actor the company was tracking as DEV-0322, which Microsoft described as "a group operating out of China, based on observed victimology, tactics, and procedures." Microsoft said the group targeted SolarWinds Serv-U servers "by connecting to the open SSH port and sending a malformed pre-auth connection request," which allowed DEV-0322 operators to run malicious code on the targeted system and take over vulnerable devices. The OS maker did not go into details about what the intruders did once they breached a target. It is unclear if the hackers were interested in cyber-espionage and intelligence collection or if DEV-0322 was a run-of-the-mill crypto-mining gang.

so, it wasn't the Russians, after all?

[Darth Technoid]

so, it wasn't the Russians, after all?

i thought all the reporting until this pointed to Russia's involvement. am i mistaken?

Re:so, it wasn't the Russians, after all?

[phantomfive]

That was my initial thought, but then I read more carefully. This is a new hack. It happened July this year.

Re: so, it wasn't the Russians, after all?

[saloomy]

They should sue the Chinese government in Federal Court. Some of their assets should be levied to pay the damages.

Re: so, it wasn't the Russians, after all?

[ngb25]

Actually a good idea. All those treasury bonds

We should read the headline

[raymorris]

My first thought too. Apparently neither of us actually read the headline - "July 2021 attack".

Re:

[NFN_NLN]

> so, it wasn't the Russians, after all?

They were too busy not hacking the election so their puppet Trump wouldn't be elec... geez, these Russian conspiracies don't even make sense anymore.

SSH vulnerability?

[david.emery]

Anyone have insight into how this works? Is this a bug in SSH? Or is this a bug that presumes you start with appropriate credentials to establish an SSH connection?

Re:

[phantomfive]

It's in Serv-U, not in OpenBSD's ssh. Notably some of the DLLs were not compiled with ASLR, so you can tell they aren't thinking about security.

Since China has permanent MFN...

[srichard25]

Since China has permanent "most favored nation" status and we import more from them than any other country, I'm sure the Communist Chinese government had nothing whatsoever to do with this hacking group. And furthermore, I'm sure the Communist Chinese government will go through great lengths to track down this hacker group and bring them to justice. Right?

Re:

[Tom]

Absolutely.

Unlike Russia, of course, where we know that every single hacker group works for Putin personally, and thus their activities justify new sanctions.

And let's not mention our friends, where hackers are just misguided kids and we don't need to do anything about them at all.

Self-serving cyber-waffle

[takionya]

“SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft's security team”