The investigation into the SolarWinds supply chain attack continues to reveal significant findings, including the emergence of a new malware strain. Recent digital forensic analysis suggests that a different group of threat actors may be exploiting SolarWinds’ Orion software to deploy a similar persistent backdoor on compromised systems.
According to Microsoft 365’s research team, the ongoing probe into the SolarWinds breach has led to the discovery of an additional piece of malware named “Supernova.” This malware targets the SolarWinds Orion product but appears to be unrelated to the original supply chain compromise identified in the Sunburst malware. The distinction lies in the fact that Supernova is not signed with a legitimate SolarWinds certificate, indicating a separate origin for this malicious software.
Research conducted by Palo Alto Networks elaborated further on the functionalities of Supernova. The malware operates by being compiled and executed in the system’s memory, enabling attackers to evade detection by endpoint security solutions. Consequently, this facilitates the deployment of sophisticated .NET applications, which can be leveraged for reconnaissance, lateral movement, and various other phases of the cyberattack lifecycle.
Understanding the Sunburst Backdoor
The SolarWinds incident has illuminated the extensive ramifications of breaches in supply chain security, affecting not just companies but also a wide range of government organizations. The attack, which compromised the Orion network management software, involved the insertion of malicious code into a DLL file (known as Sunburst or Solorigate) through updates pushed between March and June of this year. This backdoor allows attackers to invisibly collect sensitive information, execute remote commands, and send the exfiltrated data to servers controlled by the adversaries.
Analysis suggests a strategic approach whereby attackers selectively targeted high-value data from a subset of nearly 18,000 potential victims. The initial reconnaissance phase was critical in determining which accounts and assets would be prioritized during the attack.
Command-and-control (C2) infrastructure was a key component, with a primary server linked to the backdoor, designated as “avsvmcloud[.]com.” This server would then direct the infected systems to additional C2 resources, enabling specific commands for escalating privileges, stealing credentials, and moving laterally within networks.
Recent reports from cybersecurity authorities, such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA), indicated that other initial infection vectors were likely exploited apart from the SolarWinds tool, broadening the scope of the attack.
Compromised Installations and Response Efforts
Firms including Cisco, VMware, and Deloitte have confirmed incidences of malicious installations of the Orion software. Reports from Kaspersky and Symantec revealed that they identified numerous clients who had inadvertently downloaded packages containing the Sunburst backdoor, with a few even discovering traces of a secondary payload, Teardrop.
While the exact number of affected victims remains uncertain, the attack’s scope continues to grow, particularly after the revelation of a breach at FireEye, which initially exposed the vulnerabilities connected to SolarWinds software. A range of prominent U.S. companies and government entities, including Microsoft, Cisco, and others, have reported the presence of the malware within their environments.
In light of the SolarWinds attack, Cisco has implemented immediate incident response protocols, determining that their products and customer data remain unaffected while investigations into the situation are ongoing. The attack underscores challenges in cybersecurity as threat actors leverage sophisticated techniques, including potential attacks aligned with MITRE ATT&CK tactics such as initial access, persistence, privilege escalation, command and control, and data exfiltration.
Although some reports have attributed these cyber operations to APT29, the Russian government has denied any involvement, and no definitive evidence has yet been presented linking specific threat actors to the assault. As investigations continue to unfold, the need for enhanced security measures and awareness regarding supply chain vulnerabilities has never been more critical.
