The Cybersecurity and Infrastructure Security Agency (CISA) has published a new analysis report on Supernova malware used in a cyberattack and long term compromise of an entity’s network and SolarWinds systems.
In January, 2021, CISA had previously released malware analysis on Supernova that affected unpatched SolarWinds Orion software. At that time, advanced persistent threat (APT) actors installed the malware directly on systems hosting SolarWinds Orion and disguised the malware as part of the SolarWinds product.
Supernova is a malicious .NET webshell backdoor that is embedded in a trojanized version of a Solarwinds Orion Web Application module. Bad actors use the malware to dynamically inject C# source code into SolarWinds software web portal.
In the new report published April 22, CISA analyzed a cyberattack over the past year against an enterprise running compromised SolarWinds infrastructure:
“The Cybersecurity and Infrastructure Security Agency (CISA) recently responded to an advanced persistent threat (APT) actor’s long-term compromise of an entity’s enterprise network, which began in at least March 2020. The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials.CISA
Similar to previous analysis, CISA believed the APT actor exploited CVE-2020-10148, an authentication bypass vulnerability in SolarWinds Orion Application Programming Interface (API) that allows a remote attacker to execute API commands.
Moreover, CISA highlighted at least two methods the actors used to dump credentials from compromised SolarWinds systems:
- Used Export-PfxCertificate to gather cached credentials used by the SolarWinds appliance server and network monitoring. The private key certificate may have been marked by mistake by the impacted enterprise or manipulated by the threat actor to bypass the property.
- Placed a copy of procdump.exe disguised as the victim’s logging infrastructure, splunklogger.exe, onto the SolarWinds Orion server. Furthermore, the actor then used the tools along with system access to dump Local Security Authority Subsystem Service (LSASS) memory to steal additional credentials. After credentials were placed in a local directory, the actor made a GET request to the victim’s IIS server to exfiltrate the stolen data over a command-and-control (C2) channel.
Additional information on Supernova was also published in previous blog posts by Microsoft and Palo Alto Network’s Unit 42.
Readers can check out the full report for more details on Supernova malware and incident response analysis.
- CISA releases new malware analysis on Supernova
- SolarWinds releases updated advisory on SUPERNOVA malware (updated with CVE-2020-10148)
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- DHS issues new emergency guidance on SolarWinds Orion Code compromise