CISA Ties SUPERNOVA Malware to Pulse Secure, SolarWinds Exploits

April 22, 2021 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released a report on the relatively new malware variant known as SUPERNOVA, which ties the threat to both vulnerable Pulse Secure Virtual Private Networks (VPNs) and SolarWinds Orion platform.

CISA first disclosed fresh insights on SUPERNOVA in January. At the time, data showed threat actors were targeting vulnerable SolarWinds Orion tech to install the malware separately onto servers that require unauthorized access to the network.

The malware was not part of the trojanized software update behind the massive supply chain attacks. Rather, the hackers continued to exploit entities that failed to mitigate the initial vulnerabilities, leveraging SOLARWINDS to appear as part of legitimate SolarWinds tech.

As the previous alert explained: “The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned [.NET] webshell… specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.”

The backdoor functions of SUPERNOVA enables a remote attacker to dynamically insert C# source code into a web application to then inject more code.

READ MORE: Feds Find More Malware Tied to SolarWinds Supply Chain Compromise

CISA’s latest SUPERNOVA report shines a light on the tactics and techniques used by the attackers, based on a long-term compromise on an entity's network that began in March 2020. The actor gained access using US IP addresses that allowed them to masquerade as teleworking employees. 

The attack on the entity lasted for nearly a year between the initial phase and ending in February 2021. At that time, the threat actor was actively targeting multiple organizations.

The data shows the advanced persistent threat actor behind the attack is leveraging opportunistic means. However, full details about the actor and their tactics remains unknown.

For now, it’s clear the threat actor gained initial access to the victim’s network through a Pulse Secure VPN appliance and moved laterally to the SolarWinds Orion Server.

The attacker authenticated to the VPN using multiple user accounts, none of which employed multi-factor authentication. CISA is unaware of how the cybercriminals first obtained the credentials. But once they authenticated to the appliance, a VPN connection to the remote environment was initiated. 

READ MORE: DHS CISA Shares SolarWinds Post-Threat Compromise Activity Tool

“The media access control (MAC) address of the threat actor’s machine as recorded in the VPN appliance logs indicates use of a virtual machine,” CISA explained. “The threat actor then moved laterally to the entity’s SolarWinds Orion appliance by using a PowerShell script to decode and install SUPERNOVA.”

Upon exploit, the hacker “dumped credentials from the SolarWinds using the Export-PfxCertificate to gather cached credentials used by the SolarWinds appliance server and network monitoring.”

CISA believes the attacker was able to accomplish this due to the private key certificate being marked as exportable: either the hacker was able to change this setting or the victim mistakenly marked the certificate as exportable.

A further analysis of the attack determined it’s likely the actor exploited an authentication bypass flaw in the SolarWinds Orion API, which enables a remote attacker to execute API commands. The attacker exploited the flaw and then used the API to run commands.

Several weeks later, the attacker returned, connected to the VPN, and used  theWindows Management Instrumentation to remotely open the tasklist, performing a host of exploratory and malicious activities.

READ MORE: DHS CISA: Critical Pulse Secure VPN Vulnerabilities Under Active Attack

The attacks appear designed for reconnaissance, as well as domain mapping and the theft of sensitive data. CISA also believes that the threat actors behind SUPERNOVA are not responsible for the initial supply-chain hack on SolarWinds. As such, victims that find SUPERNOVA on SolarWinds installations should treat the infection as a separate attack.

In light of continued reports on the expansive impact of the SolarWinds incident and the active attacks against several unpatched Pulse Secure VPN flaws, it’s crucial for entities to prioritize patching of these flaws and other remediation efforts.

CISA reminded organizations to check of instances of excutables using the hash of another process, while strengthening access requirements and applying all known software updates.

Recommended measures including implementing MFA, using separate admin accounts for each admin workstations, using Local Administrator Password Solution (LAPS), and implementing the principle of least privilege for data access.

RDP and other remote access solutions should always use MFA and jump boxes for access, while all endpoints should employ defense tools.