The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled details about a sophisticated advanced persistent threat (APT) that has been exploiting the Supernova backdoor to infiltrate SolarWinds Orion installations. The breach was traced back to access gained through a connection to a compromised Pulse Secure VPN device.
CISA reported that the threat actor infiltrated the targeted organization’s network via the Pulse Secure VPN appliance. Following initial access, the attacker conducted lateral movement to the SolarWinds Orion server, where they deployed malware identified as Supernova, a .NET web shell. The agency noted that the intruder also harvested credentials during this operation.
CISA identified the threat actor during an incident response engagement at an undisclosed organization. Investigations revealed that the attacker had maintained access to the enterprise network for an extended period, specifically from March 2020 to February 2021, leveraging VPN credentials. This is noteworthy given that the adversary utilized valid accounts with enabled multi-factor authentication (MFA), instead of exploiting a vulnerability to access the VPN. This modus operandi allowed them to pose as legitimate remote employees.
Moreover, Microsoft disclosed in December 2020 that a second group, which is suspected to have connections to China, may have also exploited the IT infrastructure provider’s Orion software to implement the Supernova backdoor. These intrusions have been attributed to an actor known as Spiral.
In contrast to other malware associated with the SolarWinds breach, Supernova is unique as a .NET web shell that modifies a specific DLL module (app_web_logoimagehandler.ashx.b6031896.dll) of the SolarWinds Orion application. This alteration was facilitated by exploiting an authentication bypass vulnerability in the Orion API, identified as CVE-2020-10148, enabling remote attackers to execute unauthenticated API commands.
As investigations continue, CISA is advising organizations to implement robust security measures. Recommendations include enforcing multi-factor authentication for privileged accounts, configuring firewalls to filter unsolicited connection attempts, adhering to strong password policies, and securing Remote Desktop Protocol (RDP) as well as other remote access solutions.
