SolarWinds vulnerabilities were targeted by a group of overseas hackers months after the US information technology company started to suffer a widespread cyberattack. On Tuesday, Microsoft said that a group operating out of China was using a zero-day remote code execution to attack SolarWinds software. If the flaw had been successfully exploited, the flaw in the IT company’s Serv-U software had allowed hackers to perform actions like install and run malicious payloads or view and change data, Microsoft noted in a blog post.
As part of its investigation, Microsoft said it had observed the hacking group targeting organizations in the US military research and development and software sectors. The company has designated the actor as DEV-0322 in reference to its status as an unidentified “development group.” Microsoft explained that it uses the label prior to reaching high confidence about the origin or identity of a hacker. The group operating out of China is using commercial VPN solutions and compromised consumer routers to carry out their attacks, Microsoft said. Those affected have been notified and assisted in their response, the company noted.
SolarWinds confirmed on the weekend that it was notified by Microsoft of a security vulnerability in its Serv-U software. The flaw was in the product’s managed file transfer and secured FTP, which it has since patched.
SolarWinds gained overnight fame in December after it became the subject of a supply chain cyberattack that had impacted 18,000 of its customers, including nine US government organizations. US intelligence has released a joint statement in January naming Russia as the most likely source of the hack. Reuters reported that suspected Chinese hackers had exploited a separate flaw in SolarWinds’ software to help breach US government computers last year. This vulnerability is not related to the so-called Sunburst supply chain attack, SolarWinds said.