The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of a new advanced persistent threat (APT) involving the Supernova backdoor. Threat actors try to compromise SolarWinds Orion installations by breaching the network through Pulse Secure VPN. In this campaign attacker successfully stole the victim’s credentials, according to the agency.
“The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET web shell), and collected credentials,” the agency said on Thursday.
CISA said it detected the threat actor while conducting an investigation for an unnamed organization. It turned out the attacker could access the enterprise’s network for nearly a year through the use of the stolen VPN credentials.
The attacker compromised valid accounts despite multi-factor authentication (MFA), so they didn’t have to exploit a vulnerability to connect to the VPN. This accounts for the reason why they haven’t been detected earlier. They effectively hid their activities as those belonging to legitimate teleworking employees.
Interestingly, in December 2020, Microsoft disclosed that a second espionage group may have been abusing Orion software to drop the Supernova backdoor in a campaign that has been attributed to Spiral, a China-linked threat actor called.
Supernova is a .NET web shell that is essentially a modification of the SolarWinds Orion’s “app_web_logoimagehandler.ashx.b6031896.dll” module. Attackers managed to modify the module by leveraging a known vulnerability in the Orion API tracked as CVE-2020-10148.
CISA advises that organizations implement multi-factor authentication for privileged accounts, enforce strong password policies, enable firewalls, and secure Remote Desktop Protocol (RDP) and other remote access infrastructure.