Chinese Hackers Behind July 2021 SolarWinds Zero-day Attacks

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild. From a report: At the time, SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft’s security team. In a blog post on Thursday, Microsoft revealed more details about the July attacks. The company said the zero-day was the work of a new threat actor the company was tracking as DEV-0322, which Microsoft described as “a group operating out of China, based on observed victimology, tactics, and procedures.” Microsoft said the group targeted SolarWinds Serv-U servers “by connecting to the open SSH port and sending a malformed pre-auth connection request,” which allowed DEV-0322 operators to run malicious code on the targeted system and take over vulnerable devices. The OS maker did not go into details about what the intruders did once they breached a target. It is unclear if the hackers were interested in cyber-espionage and intelligence collection or if DEV-0322 was a run-of-the-mill crypto-mining gang.