The U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) says it has detected a new cyber attack in which an advanced persistent threat (APT) has leveraged a Pulse Secure virtual private network (VPN) appliance and a SolarWinds Orion server to get access to an unnamed organization and install the Supernova malware on its network.
The agency says it’s a separate incident from last-year’s SolarWinds supply-chain compromise.
“The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials,” CISA said in a new alert.
Supernova is a backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. Hackers use this malware for reconnaissance, to conduct domain mapping, and steal sensitive information and credentials. The agency notes that Supernova is not embedded within the Orion platform as a supply chain attack, it is a piece of malware that an attacker installs directly on a system that hosts SolarWinds Orion, and it is designed to appear as part of the SolarWinds product.
From at least March 2020 through February 2021, the APT leveraged several user accounts, none of which had multi-factor authentication enabled, to connect to the victim environment via Pulse Secure VPN.
The intruders then moved laterally to the SolarWinds Orion appliance and deployed the Supernova webshell to “dynamically inject C# source code into a web portal provided via the SolarWinds software suite.” The injected code is compiled and directly executed in memory.
CISA believes the threat actor exploited CVE-2020-10148, an authentication bypass vulnerability in SolarWinds Orion API, to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API ExecuteExternalProgram() to run commands with the SYSTEM privileges (the same privileges the SolarWinds appliance was running).
Earlier this week, the cybersecurity firm FireEye released a report detailing cyber attacks exploiting a zero-day vulnerability in Pulse Secure VPN.