23 April 2021

APT abused Pulse Secure, SolarWinds appliances to plant Supernova webshell on enterprise network


APT abused Pulse Secure, SolarWinds appliances to plant Supernova webshell on enterprise network

The U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) says it has detected a new cyber attack in which an advanced persistent threat (APT) has leveraged a Pulse Secure virtual private network (VPN) appliance and a SolarWinds Orion server to get access to an unnamed organization and install the Supernova malware on its network.

The agency says it’s a separate incident from last-year’s SolarWinds supply-chain compromise.

“The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials,” CISA said in a new alert.

Supernova is a backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. Hackers use this malware for reconnaissance, to conduct domain mapping, and steal sensitive information and credentials. The agency notes that Supernova is not embedded within the Orion platform as a supply chain attack, it is a piece of malware that an attacker installs directly on a system that hosts SolarWinds Orion, and it is designed to appear as part of the SolarWinds product.

From at least March 2020 through February 2021, the APT leveraged several user accounts, none of which had multi-factor authentication enabled, to connect to the victim environment via Pulse Secure VPN.

The intruders then moved laterally to the SolarWinds Orion appliance and deployed the Supernova webshell to “dynamically inject C# source code into a web portal provided via the SolarWinds software suite.” The injected code is compiled and directly executed in memory.

CISA believes the threat actor exploited CVE-2020-10148, an authentication bypass vulnerability in SolarWinds Orion API, to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API ExecuteExternalProgram() to run commands with the SYSTEM privileges (the same privileges the SolarWinds appliance was running).

Earlier this week, the cybersecurity firm FireEye released a report detailing cyber attacks exploiting a zero-day vulnerability in Pulse Secure VPN.

Back to the list

Latest Posts

Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
US seizes 32 domains linked to Russian Doppelganger influence campaign

US seizes 32 domains linked to Russian Doppelganger influence campaign

The domains, used to disseminate propaganda, were seized as part of a broader effort to disrupt Russia’s attempts to interfere in the 2024 US Presidential Election.
5 September 2024