Recent investigations have linked a malicious web shell deployed on Windows systems to a possible Chinese cyber threat group, following the exploitation of an undisclosed zero-day vulnerability in SolarWinds’ Orion network monitoring software. The cybersecurity firm Secureworks reported that this breach involved a web shell referred to as Supernova, which embedded itself within the software environment without compromising SolarWinds’ update infrastructure.
In a report released on Monday, Secureworks attributed the attacks to a group designated as Spiral. The intrusions are reminiscent of previously reported activity, where Microsoft revealed on December 22, 2020, that another espionage group manipulated the same software to establish a backdoor access point. Both incidents have now come under closer scrutiny as cybersecurity experts at firms like Palo Alto Networks’ Unit 42 and GuidePoint Security corroborate the presence and functionality of the Supernova web shell.
The manipulation of the SolarWinds Orion application was made possible through an authentication bypass vulnerability identified as CVE-2020-10148, allowing attackers to execute unauthenticated API commands. Unlike the infamous Sunburst malware, Microsoft’s analysis noted that the malicious DLL associated with Supernova lacks digital signatures, indicating a different operational approach distinct from the broader supply chain attacks linked to Russia.
During their investigation, Secureworks’ Counter Threat Unit (CTU) researchers identified that the operational tactics employed by Spiral suggested advanced knowledge of the targeted network. Notably, comparisons were drawn to an earlier intrusion discovered in August 2020 that exploited a vulnerability in ManageEngine ServiceDesk software. This previous activity, which had not previously been attributed to any threat group, shows striking similarities to the later Spiral incident.
The cyberattacks targeting ManageEngine servers have consistently been associated with threat actors based in China, utilizing tactics focused on credential theft, data exfiltration, and intellectual property theft. Recent findings also reveal that an IP address traced back to China was utilized by the attackers, suggesting potential operational coordination from the region. Researchers concluded that the attackers likely downloaded the endpoint detection software from Secureworks’ compromised network, raising significant concerns about the breach’s scope.
It is clear that the implications of this incident extend beyond individual network security, reflecting a broader trend of sophisticated cyber espionage targeting critical infrastructure and data. SolarWinds has since issued an update to its Orion Platform to address the vulnerabilities associated with Supernova, emphasizing the critical nature of rapid response in mitigating exposure to such threats.
The methodologies employed in this attack align with several tactics outlined in the MITRE ATT&CK framework, including initial access, persistence, and privilege escalation. This incident stands as a reminder of the persistent and adaptive nature of organized cybercrime, particularly concerning state-sponsored threats.
This revelation carries significant implications for organizations that utilize SolarWinds software and underscores the need for heightened vigilance in cybersecurity practices. As threats from advanced persistent threat (APT) groups evolve, continuous monitoring and proactive defense strategies remain essential for safeguarding sensitive data and operational integrity.
