Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/22/2021
07:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Supernova Malware Actors Masqueraded as Remote Workers to Access Breached Network

China-based Spiral group is believed to be behind year-long attack, which exploited a flaw in SolarWinds Orion technology to drop a Web shell.

Members of an advanced persistent threat (APT) group, masquerading as teleworking employees with legitimate credentials, accessed a US organization's network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft.

The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said Thursday in a report summarizing the findings of its investigation into the incident.

Related Content:

7 Old IT Things Every New InfoSec Pro Should Know

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

The report is the latest involving SolarWinds and its Orion network management server technology. However, the Supernova tool and the APT group behind it are separate from the group that used legitimate Orion software updates to distribute malware dubbed Sunburst to 18,000 organizations around the world. Last week the US government formally attributed that widely reported attack — described by many as one of the most sophisticated ever — to Russia's Foreign Intelligence Service, SVR.

CISA's malware analysis report, which includes indicators of compromise and mitigation recommendations, did not attribute the Supernova attack to any specific group or country. However, others such as Secureworks that have investigated similar intrusions lately have ascribed Supernova and its operators to Spiral, a believed China-based threat group. Only a small handful of organizations are known to have been infected with Supernova, so far at least.

In its report, CISA describes the incident as likely beginning last March when the attackers connected to the unnamed US entity's network via a Pulse Secure virtual private network (VPN) appliance. CISA's investigation showed the attackers used three residential IP addresses to access the VPN appliance. They authenticated to it using valid user accounts, none of which were protected by multifactor authentication. CISA said it has not been able to determine how the attackers obtained the credentials. The VPN access allowed the attackers to masquerade as legitimate remote employees of the organization.

Once the attackers gained initial access to the victim network, they moved laterally on it to the SolarWinds Orion server and installed Supernova, a .Net Web shell, on it. As was the case with the handful of other breaches involving Supernova, the attackers appear to have exploited an authentication bypass flaw (CVE-2020-10148) in SolarWinds Orion's API to execute a PowerShell script for running the Web shell.

"CISA believes the threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API to run commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM)," CISA explained.

Unlike the Sunburst backdoor associated with the Russia campaign, the attackers did not embed Supernova into the Orion technology. Instead, they installed the malware on servers running Orion by exploiting CVE-2020-10148. Once installed, the attackers used the Web shell to dump credentials from the SolarWinds server. Weeks later the adversary again connected via the VPN appliance and tried using the stolen credentials to access an additional workstation. On another occasion, the threat actor used Windows Management Instrumentation and other legitimate utilities to gather information about running process to collect, archive, and exfiltrate data.

Consistent With Other Attacks
Don Smith, senior director with Secureworks' counter threat unit, says the timing, tools, tactics, and procedures that CISA described this week are consistent with the company's own findings from its investigation of two intrusions at a customer location.

The report corroborates "our assessment that the two intrusions we responded to at the same organization were both perpetrated by the same threat actor, [(Spiral aka Bronze Spiral]," Smith says.

Those TTPs included initial access through exploitation of vulnerable Internet-facing systems, he says. It also includes "deployment of the Supernova Web shell, credential theft, ongoing access through VPN services using legitimate credentials, the deployment of other tools renamed to disguise their function, and the use of compromised infrastructure for command and control," Smith says.

The Supernova campaign was highly targeted and appears to have impacted only a very small number of organizations. However, it does serve as an example of how adversaries are constantly looking to exploit vulnerabilities they can exploit for initial access. Once established on a network, such threats can be hard to eliminate, Smith notes.

"We should also remember that it does not take long for other, more opportunistic threats like ransomware operators to seize on exploits once they become public and look to use them for their own gain, at which point any organization is a potential target," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.