An APT Group Exploits VPN to Deploy Supernova on SolarWinds Orion

What has been discovered?

• The threat actor used valid accounts that had MFA enabled, instead of exploiting a vulnerability, to connect to the VPN. It allowed them to disguise themselves as genuine teleworking employees of the impacted entity.
• In December 2020, Microsoft had revealed information about a second espionage group abusing the IT infrastructure provider's Orion software to deploy a persistent backdoor, Supernova, on target systems.
• The Supernova .NET web shell was deployed by making changes to the app_web_logoimagehandler[.]ashx[.]b6031896[.]dll module of the SolarWinds Orion application.
• The changes were made possible by taking advantage of an authentication bypass vulnerability in the Orion API (CVE-2020-10148), allowing the user to execute unauthenticated API commands.

Techniques employed by the APT group

• First, the gang used Export-PfxCertificate to collect cached credentials used by the SolarWinds appliance server and network monitoring (Unsecured Credentials: Private Keys [T1552.004]).
• In the second method, the APT group placed a copy of procdump[.]exe (Ingress Tool Transfer [T1105]) masked as the entity’s logging infrastructure, splunklogger[.]exe (Masquerading: Rename System Utilities).

Conclusion