What We Know (and Dont Know) So Far About the Supernova SolarWinds Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


What We Know (and Dont Know) So Far About the Supernova SolarWinds Attack


A look at the second elusive attack targeting SolarWinds software that researchers at Secureworks recently cited as the handiwork of Chinese nation-state hackers.



Its mostly been overshadowed by the massive and brazen supply chain breach of the SolarWinds Orion software-build process — the lesser-known Supernova cyberattack also remains a bit of a mystery. Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds Orion network management software, so far have been scarce.
Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed Spiral.
Supernova first came to light during FireEyes investigation into the Orion software-update attack (aka Sunburst, Solorigate) back in December, and at first it was mistakenly believed to be part of the supply chain attack campaign. Microsoft soon thereafter
revealed
that Supernova indeed was not part of the supply chain attack.
Its likely coincidental that two separate nation-states were targeting the same software, albeit in very different ways, experts say. I think its a coincidence that both the Chinese and Russian advanced persistent threats (APTs) both targeted SolarWinds software in their attacks, notes Mike McLellan, director of intelligence at Secureworks. And the high-profile discovery of the attack from Russia may have burned Chinas parallel operation for now, too, he says.
That could explain the dearth of additional activity reported by researchers on Supernova: The attackers may have halted the Orion attack and sought other ways to quietly target and spy on their victims.
Its not unusual for multiple nation-state attacker groups to target the same victim organization, nor even to reside concurrently and unbeknownst to one another while conducting their intelligence-gathering operations. But Supernova and the Orion supply chain attack demonstrate how nation-states also can have similar ideas yet different methods regarding how they target and ultimately burrow into the networks of their victims.
Supernova homed in on SolarWinds Orion by exploiting a flaw in the software running on a victims server; Sunburst did so by inserting malicious code into builds for versions of the Orion network management platform. The digitally signed builds then were automatically sent to some 18,000 federal agencies and businesses last year via a routine software update process, but the attackers ultimately targeted far fewer victims than those who received the malicious software update, with fewer than 10 federal agencies affected as well as some
40 of Microsofts own customers
. US intelligence agencies have attributed that attack to a Russian nation-state group, and many details of the attack remain unknown.
Supernova took a more traditional, yet stealthy, approach to leveraging Orions lucrative mapping and tracking features of a victims network. Supernova was looking for SolarWinds on the [victims] network and compromising them from there, explains Secureworks McLellan.
The Russian activity comes from the SolarWinds network, he says of the supply chain attack using Sunburst. Thats the key difference.
Ben Read, FireEye Mandiant Threat Intelligences director of analysis, agrees that the two attacks were separate and unrelated — with different victims. We have no indication one operation knew about the other, he says. The widespread adoption of the Orion software may well have made it a compelling target for multiple state intelligence agencies to use in their attacks, he says.
Microsoft recently renamed the supply chain attack and the attackers behind it as
Nobelium
.
The Targets
Reuters first
reported
about a China nexus for the Supernova attack in early February, identifying the US Department of Agriculture (USDA)s National Finance Center (NFC) as a target of the Supernova attackers. But the USDA disputed reporting that that NFC had been breached.
When contacted by Dark Reading about the Supernova attack, USDA reiterated that it had no evidence that NFC suffered a data breach, but it was still investigating.
In compliance with [the Cybersecurity and Infrastructure Security Agency]s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise. While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center, the agency said in a statement in response to inquiries by Dark Reading.
The agency did not provide any further details, so it remains unclear exactly if or how the agencys Orion implementation was affected.
The Supernova victim that Secureworks investigated was a private-sector organization in the US, according to the security firm. Were limited in what we can say about the victim, Secureworks McLellan says. Information theft was the target: information related to their clients, customers.
SolarWinds, meanwhile, says it knows of one victim of the Supernova attack, according to a company spokesperson. That breach enabled the attackers to add the malicious Supernova code to Orion software on the customers network, the spokesperson says, noting that the flaw since has been patched. Supernova was neither signed nor delivered by SolarWinds, and the issue was addressed in Orion platform updates that were released in December.
SolarWinds did not disclose any additional details about the victim.
How It Works
Supernova contains two malware components: a Web shell, an unsigned Windows .dll file crafted to appear as legitimate code on Orion (app_web_logoimagehandler.ashx.b6031896.dll); and an exploit that abused the previously unknown API authentication bypass flaw (
CVE-2020-10148
) that was used to run the Web shell.
The now-patched vuln let an attacker run commands without authenticating to the API; the Supernova attackers used it to install the Web shell into the victims Orion software running on their internal severs.
Secureworks found a link between Supernova and a previous attack on one of its clients, which it detailed in a
blog post
earlier this month.
The Spiral team exploited the API authentication flaw on Orion to drop the Supernova Web shell onto the victims internal SolarWinds server such that it could then remotely run its own commands on the server. It then moved laterally to two hosts: a domain controller for harvesting credentials, according to Secureworks, and then a server that provided access to sensitive information about the business. The attackers appeared to know the network layout, given the speed and targeting of the servers; Secureworks incident responders thwarted further infiltration of the network.
There was malicious activity on the SolarWinds server on this clients network, which Secureworks then found had exploited an API bypass vulnerability, says Marc Burnard, a senior information security researcher with Secureworks.
They used that vuln to drop the Supernova Web shell onto the SolarWinds server and began interacting with it to run commands on the server.
They then moved laterally to a domain controller to steal credentials and another server that could have given them access to client data, he says.
The victim organization had suffered an attack in early 2020 with some similar characteristics, according to Secureworks: The attackers exploited one of the organization’s public-facing ManageEngine ServiceDesk servers, silently grabbing domain credentials over a period of nearly two years, and then in August 2020, stealing credentials from two of the victims servers to steal files from their Office 365 SharePoint and OneDrive cloud applications.
Secureworks matched the two attacks to the same threat actor because of the similar techniques involved: The attackers used the same commands and output file paths in the Microsoft Windows Local Security Authority Subsystem Service (LSASS), the same directory name, and a domain controller and a server to reach valuable business information. And three compromised admin accounts were used in both attacks.
Wes Riley, incident response operations and technical lead at ‎GuidePoint Security, recently analyzed the Supernova Web shell. Riley says that although the Supernova code was not especially sophisticated, it was elegant. The Web shell is memory-resident, and the attackers used an existing API to set up their access to gathering intel.
The Supernova Web shell poses as a SolarWinds Web service, displaying the Orion logo image. The purpose of the file is just to grab an image ... to pull the logo for SolarWinds [Orion] and present it, he explains. Other Web pages on that Web UI will call that file and grab the image. Placing the malicious code there was elegant and stealthy, he says.
Riley doesnt consider the SolarWinds API vulnerability that the attackers exploited a true zero-day bug. Its a gray area, he says. The attackers basically abused a function of the software and its application programming interface. They found a location in the software where a forward-facing page will call a function, he says.
China
Secureworks researchers say aside from similar characteristics of Supernova with other nation-state actors out of China, they were able to tie the two attacks on their customer to China via a small but significant misstep the attackers made: exposing an IP address. A Secureworks endpoint detection and response (EDR) agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China, according to Secureworks findings.
GuidePoints Riley says Supernovas use of a Web shell rings of a Chinese nation-state operation. He says it reminds him of the way the so-called Shellcrew (aka Deep Panda) APT group operates, but he didnt have firsthand knowledge of the attackers nor was he focused on attribution in his analysis.
The only similarities I saw with other attack groups Ive seen or dealt with is more from the approach, Riley notes. Shellcrew, for instance, is really adept at planting malicious code along the callpath of large Web applications, he says.
Charity Wright, a cyber-threat intelligence analyst at RecordedFuture who specializes in China, says she and her team were suspicious when China basically sat out of election-meddling operations against during the 2020 US presidential campaign; the researchers figured Chinese nation-state hacking teams were preparing something big. It turns out they were, she says, pointing to the recently revealed widespread Microsoft Exchange Server zero-day attacks as well as Supernova, although Wright says RecordedFuture could not directly confirm Supernova came from China.
Secureworks so far is the only team to publicly name China in the attacks. While we cant independently verify the activity witnessed by Secureworks in their engagements, this would not be the first time an attacker missteps and inadvertently tips their hand, says J.A. Guerrero-Saade, principal threat researcher at SentinelOne, of the discovery by Secureworks. Regardless, attribution based entirely on cyber indicators is notoriously fungible and should be handled with caution.
A Spiral Comeback?
Nation-states are known to leave monitoring tools in place for re-entry, Secureworks McLellan says, or to regroup and return with a different exploit if they get discovered. We imagine this group may reappear. Theyve been around since 2018; we expect them to come back with some other way of gaining access.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
What We Know (and Dont Know) So Far About the Supernova SolarWinds Attack