HomeWinBuzzer NewsMicrosoft Security Team Describes New SolarWinds Exploit Originating from China

Microsoft Security Team Describes New SolarWinds Exploit Originating from China

Microsoft Threat Intelligence Center says a new SolarWinds zero-day targeting the Serv-U software is being used by Chinese hackers.


It seems the SolarWinds exploits carrying the Solarigate malware attack are ongoing. According to Microsoft Threat Intelligence Center (MSTIC), a new network is attacking SolarWinds software with a new zero-day. says the hacking group is known as “DEV-0322” and is working out of China.

This time the hackers are attacking the Serv-U FTP software from SolarWinds. MSTIC says it is likely they are trying to access information from SolarWinds customers in the US defense industry.

An everyday Defender anti-virus scan first picked up on the zero-day. Microsoft's security suite found an “anomalous malicious process”, which suggests the threat group wanted to get administrator access on the Seri-U software.

In a blog post, Microsoft Threat Intelligence Center points out such access would give hackers control over system:

“If Serv-U's SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data.”

On July 9, SolarWinds confirmed the zero-day and said users need to be on the latest Serv-U version to be safe. In other words, any Serv-U software released before May 5 is vulnerable to the exploit. A patch for the zero-day exists on newer builds. Needless to say, both SolarWinds and Microsoft are urging customers to update to the latest version.

Previous Attack

The Solarigate malware attack that targeted the SolarWinds app Orion made headlines in December 2020.

SolarWinds related attacks targeted 18,000 organizations, including government agencies. While 18,000 organizations downloaded SolarWinds Orion with the malware, a smaller number were impacted by follow on activity, according to CISA.

In December, the and Infrastructure Security Agency (CISA) debuted a PowerShell tool to help Microsoft 365 customers mitigate Solarigate. Microsoft had recently confirmed stolen Azure/Microsoft 365 credentials and access tokens were a part of the breach.

Tip of the day: When Windows 10 runs into serious problems, it's not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows 10 startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it's important to try a Windows 10 boot repair so you can at least narrow down the source of the issue. If it doesn't work, you may have to reinstall the OS or test your hardware.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News