Researchers at Secureworks have found links between the Supernova malware planted on compromised internet-facing SolarWinds Orion installations and intrusions carried out in August 2020 against Zoho ManageEngine servers, which the cybersecurity firm attributed to a threat actor based in China.
In November 2020, the cyber-espionage group, which Secureworks dubbed Spiral, was observed exploiting an authentication bypass vulnerability (CVE-2020-10148) in SolarWinds Orion platform to plant the Supernova web shell. However, the researchers pointed out that this activity is unrelated to the Sunburst supply chain attack that trojanized the SolarWinds Orion business software update.
Written in .NET C#, the Supernova web shell is a trojanized version of the legitimate DLL used by the SolarWinds Orion Platform. In the observed attacks, the hackers were using Supernova to conduct additional reconnaissance activity and obtain credentials.
Secureworks said that they identified intrusion activity on the same network in 2020. The investigation revealed that the intruders gained access to the network as far back as 2018 using a vulnerability in a ManageEngine ServiceDesk server and used this access to periodically harvest and exfiltrate domain credentials.
In August 2020, the attackers stole credentials fr om two servers and used them to access files from Microsoft Office 365-hosted SharePoint and OneDrive services.
“CTU researchers were initially unable to attribute the August activity to any known threat groups. However, the following similarities to the SPIRAL intrusion in late 2020 suggest that the SPIRAL threat group was responsible for both intrusions,” the researchers wrote.
“CTU researchers have associated Chinese threat groups with network intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. Although SPIRAL activity shares these characteristics, the characteristics are insufficient for attributing SPIRAL’s country of origin. However, an additional characteristic of the August 2020 intrusion strengthens the Chinese connection.”
In a statement SolarWinds clarified that the Supernova malware planted in the Orion software present on the customer network was not part of the widespread supply-chain attack attributed to a threat actor tracked by security researchers as Nobelium (Microsoft), UNC2452 (FireEye), StellarParticle (CrowdStrike), SolarStorm (Palo Alto Networks), Dark Halo (Volexity).
“This report references an incident wh ere a network was first compromised in a way that was unrelated to SolarWinds. That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer's network. It is important to note that Supernova is not associated with the broad and sophisticated supply chain attack that targeted multiple software companies as vectors. Supernova was neither signed nor delivered by SolarWinds and the issue was addressed in Orion platform updates that were released in December,” SolarWinds said.