Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/22/2021
07:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Supernova Malware Actors Masqueraded as Remote Workers to Access Breached Network

China-based Spiral group is believed to be behind year-long attack, which exploited a flaw in SolarWinds Orion technology to drop a Web shell.

Members of an advanced persistent threat (APT) group, masquerading as teleworking employees with legitimate credentials, accessed a US organization's network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft.

The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said Thursday in a report summarizing the findings of its investigation into the incident.

Related Content:

7 Old IT Things Every New InfoSec Pro Should Know

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

The report is the latest involving SolarWinds and its Orion network management server technology. However, the Supernova tool and the APT group behind it are separate from the group that used legitimate Orion software updates to distribute malware dubbed Sunburst to 18,000 organizations around the world. Last week the US government formally attributed that widely reported attack — described by many as one of the most sophisticated ever — to Russia's Foreign Intelligence Service, SVR.

CISA's malware analysis report, which includes indicators of compromise and mitigation recommendations, did not attribute the Supernova attack to any specific group or country. However, others such as Secureworks that have investigated similar intrusions lately have ascribed Supernova and its operators to Spiral, a believed China-based threat group. Only a small handful of organizations are known to have been infected with Supernova, so far at least.

In its report, CISA describes the incident as likely beginning last March when the attackers connected to the unnamed US entity's network via a Pulse Secure virtual private network (VPN) appliance. CISA's investigation showed the attackers used three residential IP addresses to access the VPN appliance. They authenticated to it using valid user accounts, none of which were protected by multifactor authentication. CISA said it has not been able to determine how the attackers obtained the credentials. The VPN access allowed the attackers to masquerade as legitimate remote employees of the organization.

Once the attackers gained initial access to the victim network, they moved laterally on it to the SolarWinds Orion server and installed Supernova, a .Net Web shell, on it. As was the case with the handful of other breaches involving Supernova, the attackers appear to have exploited an authentication bypass flaw (CVE-2020-10148) in SolarWinds Orion's API to execute a PowerShell script for running the Web shell.

"CISA believes the threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API to run commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM)," CISA explained.

Unlike the Sunburst backdoor associated with the Russia campaign, the attackers did not embed Supernova into the Orion technology. Instead, they installed the malware on servers running Orion by exploiting CVE-2020-10148. Once installed, the attackers used the Web shell to dump credentials from the SolarWinds server. Weeks later the adversary again connected via the VPN appliance and tried using the stolen credentials to access an additional workstation. On another occasion, the threat actor used Windows Management Instrumentation and other legitimate utilities to gather information about running process to collect, archive, and exfiltrate data.

Consistent With Other Attacks
Don Smith, senior director with Secureworks' counter threat unit, says the timing, tools, tactics, and procedures that CISA described this week are consistent with the company's own findings from its investigation of two intrusions at a customer location.

The report corroborates "our assessment that the two intrusions we responded to at the same organization were both perpetrated by the same threat actor, [(Spiral aka Bronze Spiral]," Smith says.

Those TTPs included initial access through exploitation of vulnerable Internet-facing systems, he says. It also includes "deployment of the Supernova Web shell, credential theft, ongoing access through VPN services using legitimate credentials, the deployment of other tools renamed to disguise their function, and the use of compromised infrastructure for command and control," Smith says.

The Supernova campaign was highly targeted and appears to have impacted only a very small number of organizations. However, it does serve as an example of how adversaries are constantly looking to exploit vulnerabilities they can exploit for initial access. Once established on a network, such threats can be hard to eliminate, Smith notes.

"We should also remember that it does not take long for other, more opportunistic threats like ransomware operators to seize on exploits once they become public and look to use them for their own gain, at which point any organization is a potential target," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.