A critical vulnerability has been identified in the SolarWinds Orion software, which may have been exploited by threat actors as a zero-day to deliver the SUPERNOVA malware across targeted environments. This discovery highlights significant risks for organizations utilizing this widely adopted system monitoring and management tool.
The CERT Coordination Center released an advisory detailing the vulnerability categorized under CVE-2020-10148. The flaw resides within the SolarWinds Orion API, which serves as the communication backbone for various Orion products. The security defect might enable remote attackers to execute unauthenticated API commands, potentially leading to a full compromise of the SolarWinds instance, putting many businesses at risk.
According to the advisory, attackers can bypass API authentication by manipulating specific parameters in the Request.PathInfo portion of a Uniform Resource Identifier (URI). By appending certain PathInfo parameters, such as ‘WebResource.adx’ or ‘ScriptResource.adx,’ an attacker could trigger the SkipAuthorization flag, allowing unauthorized API requests to be processed.
Recent reports indicated that this vulnerability aligns with warnings in SolarWinds’ security advisory regarding potential risks associated with the Orion Platform. Earlier disclosures by Microsoft suggested that a different threat actor might have exploited this vulnerability to plant the SUPERNOVA malware in affected systems. The sophisticated design of this malware, described as a .NET web shell, allows it to execute commands remotely by leveraging a compromised DLL within the application.
Palo Alto Networks’ Unit 42 and GuidePoint Security corroborated findings regarding the SUPERNOVA malware’s structure, noting that its inclusion in the Orion software was facilitated through the alteration of a benign DLL module, which ordinarily serves to render user-configured images. The malicious modifications enable command execution in the context of the server user, thus amplifying the potential impact of the attack.
Unit 42 researchers emphasized that SUPERNOVA stands out for its ability to execute commands directly in memory, highlighting the sophistication and agility attributed to its development. The web shell appears distinct from the SUNBURST malware, linked to a separate hacking group (tracked as “UNC2452”), as SUPERNOVA’s DLL lacks the digital signature found in SUNBURST counterparts.
This vulnerability poses a serious threat not only to SolarWinds but also to the myriad organizations that depend on its software, as the global intrusion campaign could affect around 18,000 customers. Government bodies and cybersecurity experts continue to investigate the full repercussions of this breach.
FireEye, the first to uncover the SUNBURST exploit, noted that the attackers demonstrated a high level of sophistication and operational security by removing their tools post-compromise, indicating advanced capabilities in managing their intrusion efforts. Further analysis revealed that preparations for this attack began as early as October 2019, emphasizing the calculated nature of the adversaries involved.
To address the authentication bypass vulnerability, organizations using SolarWinds Orion are urged to update to the latest versions. Those who have already upgraded to the latest respective versions need not take further action, as both SUNBURST and SUPERNOVA vulnerabilities have been remediated.
The potential MITRE ATT&CK tactics involved in this breach include Initial Access, with attackers exploiting the vulnerability to gain entry; Persistence, to establish long-term footholds through the malicious DLL; and Privilege Escalation, enabling elevated access rights through compromised API commands. Businesses must stay informed and proactive to safeguard against such vulnerabilities in the ever-evolving cybersecurity landscape.
