The Cybersecurity and Infrastructure Security Agency has identified a new threat actor that is using the Supernova backdoor to compromise SolarWinds Orion installations after initially accessing the network through a connection to a Pulse Secure VPN. The actor is distinct from the Russian group responsible for the SolarWinds supply chain compromise and used valid credentials, rather than an exploit for a vulnerability, to connect to the VPN.
CISA identified the new threat actor during an incident response engagement at an unnamed enterprise and found that the attacker had access to the network for nearly a year through the use of the VPN credentials. It’s not clear how the attacker originally got hold of the credentials, but was able to connect through several separate accounts, none of which had multi-factor authentication enabled. The attacker connected to the VPN from three individual residential IP addresses, and used a virtual machine.
“The threat actor then moved laterally to the entity’s SolarWinds Orion appliance and established Persistence by using a PowerShell script to decode and install SUPERNOVA. The SUPERNOVA webshell allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory. For more information on SUPERNOVA,” the CISA alert says.
Supernova is one of several pieces of malware that have been connected to the SolarWinds compromise and subsequent intrusions at a number of the company’s customers. It’s not the malicious code that was embedded in the Orion code itself, but is instead a backdoor that’s installed on compromised Orion instances to give the attacker persistence. It is not directly tied to the attack group that has been blamed for the SolarWinds breach, known as APT29, but has been used by other attackers to maintain persistence on compromised Orion instances.
"The SUPERNOVA incident described in the CISA alert adds a significant amount to our knowledge about the activity accompanying this malware. The activity they describe is stealthy and shows great care for operational security. In particular, they use of compromised residential routers in the U.S. would make tracking activity more difficult," Ben Read, director of analysis with Mandiant Threat Intelligence, said.
In the incident that CISA investigated, once the attacker had access to the SolarWinds Orion instance, it then used two different methods to dump credentials from the application: exporting the private key certificate, and using a copy of ProcDump, disguised as a Splunk utility, to dump memory containing credentials. The attacker then erased the IIS server logs for the day that it dumped the credentials. Even though the logs were deleted, CISA said the attacker probably used an exploit for an authentication bypass vulnerability (CVE-2020-10148) in Orion to accomplish this.
“CISA believes the threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API ExecuteExternalProgram() to run commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM). CISA had not observed the threat actor using privileged accounts prior to the credential dumps, and the account being used to connect to the SolarWinds appliance (via VPN) did not have sufficient privilege to access it,” the alert says.
“The PowerShell process that initiated the credential harvesting and installation of SUPERNOVA was a child process of the solarwindsbusinesslayer.exe process. Two GET requests were logged in the following day’s log, with the internal Dynamic Host Configuration Protocol (DHCP) address given to the threat actor’s machine by the VPN appliance minutes after the exploitation, suggesting the threat actor was interacting with the SolarWinds web application.”
Mandiant's Read said this incident exposed some of the first details about how Supernova is deployed.
We now know a little bit more about how Supernova is used. Up until now, it wasn't really clear how exactly it was getting onto SolarWinds," he said. "I'd be curious about where the attackers pivoted to once they were in there, where else they went and what other credentials they gathered.
CISA’s analysis of this incident comes a day after the revelation that attackers tied to the Chinese government have been exploiting vulnerabilities in the Pulse Secure Connect VPN appliance to compromise both government and enterprise networks. One of the flaws used in those intrusions was a previously unknown vulnerability, while the other three had been disclosed and patched about two years ago. However, the attacker in the incident that CISA described had legitimate credentials for the VPN and did not exploit any bugs to access it.
The attacker in this incident had access to the enterprise’s pulse Secure VPN from March 2020 to February 2021, and CISA is still involved in the investigation and incident response effort.