September 10, 2021

Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack – Microsoft says

550

Microsoft has shared the technical details about a now-fixed, actively exploited critical security vulnerability which was affecting SolarWinds Serv-U managed file transfer service that it has attributed with “high confidence” to a threat actor operating out of the Republic of China.

In mid-July, the Texas-based company remedied a remote code execution flaw (CVE-2021-35211) that was rooted in Serv-U’s implementation of the Secure Shell (SSH) protocol, which could be easily used by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive and important data.

“The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the configuration set by default,” Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit used by the hackers.

“An attacker can simply exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then let the attacker to easily install or run programs, such as in the case of the targeted attack we had reported before,” the researchers added.

While Microsoft linked the attacks to DEV-0322, a China-based collective citing “observed victimology, tactics, and procedures,” the company has now revealed that the remote, pre-auth vulnerability was created due to the way in which the Serv-U process handled access violations without terminating the process, thereby making it simple to execute stealthy and profitable exploitation attempts.

“The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context,” the researchers said. “This, helped the attackers to use uninitialized data as a function pointer during the decryption of successive SSH messages.”

“Therefore, an attacker could easily exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without Address Space Layout Randomization (ASLR) loaded by the Serv-U process to facilitate exploitation,” the researchers added.

ASLR is used to increase the level of difficulty of performing a buffer overflow attack by randomly arranging the address space positions where system executables are loaded into memory.

Microsoft, which reported the vulnerability to SolarWinds, said it recommended enabling ASLR compatibility for all binaries loaded in the Serv-U process. “ASLR is a critical security mitigation for services which are regularly exposed to untrusted remote inputs, and requires that all the binaries in the process are compatible in order to be useful for preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,” the researchers confessed.

If anything, the revelations highlight the huge number of tools and techniques used by threat actors to breach corporate networks, including piggybacking on legit software.

Although the SolarWinds supply chain attacks have formally been blamed on Russian APT29 hackers, Microsoft in December 2020 disclosed that a separate espionage group may have been taking advantage of the IT infrastructure provider’s Orion software to install a persistent backdoor called Supernova on infected systems. Cybersecurity firm Secureworks attributed the intrusions to a China-based threat actor by the name of Spiral.