https://arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up SOLARFLARE -- Microsoft discovers critical SolarWinds zero-day under active attack Flaws allow attackers to run malicious code on machines hosting Serv-U products. Dan Goodin - Jul 12, 2021 7:25 pm UTC A phone and the wall behind it share a solarwinds logo. Enlarge Getty Images reader comments 27 with 22 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit SolarWinds, the company at the center of a supply chain attack that compromised nine US agencies and 100 private companies, is scrambling to contain a new security threat: a critical zero-day vulnerability in its Serv-U product line. Further Reading Russian hackers hit US government using widespread supply chain attack Microsoft discovered the exploits and privately reported them to SolarWinds, the latter company said in an advisory published on Friday. SolarWinds said the attacks are entirely unrelated to the supply chain attack discovered in December. "Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability," company officials wrote. "SolarWinds is unaware of the identity of the potentially affected customers." Only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP--and by extension, the Serv-U Gateway, a component of those two products--are affected by this vulnerability, which allows attackers to remotely execute malicious code on vulnerable systems. An attacker can gain privileged access to exploited machines hosting Serv-U products and could then install programs; view, change, or delete data; or run programs on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, and all prior versions. Advertisement SolarWinds has issued a hotfix to mitigate the attacks while the company works on a permanent solution. People running Serv-U version 15.2.3 HF1 should apply hotfix (HF) 2; those using Serv-U 15.2.3 should apply Serv-U 15.2.3 HF1 and then apply Serv-U 15.2.3 HF2; and those running Serv-U versions prior to 15.2.3 should upgrade to Serv-U 15.2.3, apply Serv-U 15.2.3 HF1, and then apply Serv-U 15.2.3 HF2. The company says customers should install the fixes immediately. The hotfixes are available here. Disabling SSH access also prevents exploitation. Further Reading ~18,000 organizations downloaded backdoor planted by Cozy Bear hackers The federal government has attributed last year's supply chain attack to hackers working for Russia's Foreign Intelligence Service, abbreviated as the SVR, which for more than a decade has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries including Germany, Uzbekistan, South Korea, and the US. Targets have included the US State Department and the White House in 2014. The hackers used that access to push a malicious software update to about 18,000 customers of SolarWinds' Orion network management product. Of those customers, roughly 110 received a follow-on attack that installed a later-stage payload that exfiltrated proprietary data. The malware installed in the attack campaign is known as Sunburst. Again, SolarWinds said the exploits underway now have no connection. Further Reading Chinese hackers targeted SolarWinds customers in parallel with Russian op Late last year, zero-day vulnerabilities in SolarWinds' Orion product came under exploit by a different set of attackers that researchers have tied to China's government. Those attackers installed malware that researchers call SuperNova. Threat actors linked to China have also targeted SolarWinds. At least one US government agency was targeted in this operation. reader comments 27 with 22 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices