Overseas hackers continue to target the SolarWinds months after the first massive hack on the IT service company. One of the earlier attacks left a Microsoft customer support agent a victim, said Engadget. Now, months after Microsoft's investigations, they posted in a recent blog post that they have discovered a group of hackers operating out of China.

SolarWinds Serv-U Software Hackers Uncovered by Microsoft: DEV-0322

Microsoft reported that they have detected a zero-day remote code execution exploit being used to attach the Serv-U FTP software by SolarWinds. The attacks were limited and targeted.

If successfully exploited, the flaw in the IT company's software can allow hackers to perform actions like installing and running malicious payloads or viewing and changing data, Microsft explained.

The investigation was done by the Microsoft Threat Intelligence Center (MSTIC) and they pinpointed "with high confidence" that the malicious actor is a group they have called DEV-0322. When tracking and investigating the malicious cyber activities, they identify each threat actor as a "development group" or "DEV group" and assigned each group a four-digit number for easier tracking.

The DEV-0322 group, operating out of China, has been targeting entities in the U.S. Defense Industrial Base Sector and software companies, Microsoft reported. The group has been observed to use commercial VPN solutions and compromised consumer routers in their attacker infrastructure.

Read Also: Smart Home Devices Expose You to Thousands of Hackers: 8 Ways You Can Protect Your Gadgets and Yourself

SolarWinds Attack Details and Security Threat

SolarWinds confirmed that the company was notified by Microsoft of a security vulnerability in its Serv-U software, Yahoo! Finance said.

The zero-day attack behavior was discovered by MSTIC during a routine investigation of its Microsoft 365 Defender telemetry. They found an anomalous malicious process spawning from the Serv-U process, suggesting that the system had been compromised.

The flaw was related to the product's managed file transfer and secured FTP. This, in turn. allowed the malicious actor to effectively add themself as a Serv-U administrator.

SolarWinds was quick to respond to the issue and built a patch, Microsoft added. Before the patch was available, the Microsoft 365 Defender team also rolled out detections to catch unknown malicious behaviors to protect and alert customers of any malicious activity pertaining to the zero-day attack.

SolarWinds gained overnight notoriety in December after it was the target of a supply chain cyberattack that impacted 18,000 of its customers which included nine US government agencies.

Earlier in January, the US intelligence release a joint statement naming Russia as the most likely source of the hack, Yahoo! Finance said. In February, reports of suspected Chinese hackers have exploited a separate flaw in SolarWinds' software to help break US government computers last year.

SolarWinds said the latest vulnerability is not related to the so-called Sunburst supply chain attack.

Customers affected by the malicious activity enrolled to Microsoft Threat Experts, the company's managed threat hunting service, and received a targeted attack notification that contained details of the compromise.

The Microsft Threat Experts and MSTIC teams worked closely with the affected customers to respond to the attack and ensure their environments were secure, Microsft reported.

Related Article: Afraid Google Home Is Recording Your Conversations? 2 Ways to Delete the Recordings, Turn Off Voice and Audio