The CISA has issued an alert about a new APT group that has been leveraging the Supernova backdoor to compromise SolarWinds Orion installations. The group gains access to the network by establishing a connection to a Pulse Secure VPN device.
What has been discovered?
CISA spotted the APT group during an incident response engagement at an unnamed organization. Between March 2020 and February 2021, the attacker gained access to the enterprise network via VPN credentials.
- The threat actor used valid accounts that had MFA enabled, instead of exploiting a vulnerability, to connect to the VPN. It allowed them to disguise themselves as genuine teleworking employees of the impacted entity.
- In December 2020, Microsoft had revealed information about a second espionage group abusing the IT infrastructure provider's Orion software to deploy a persistent backdoor, Supernova, on target systems.
- The Supernova .NET web shell was deployed by making changes to the app_web_logoimagehandler[.]ashx[.]b6031896[.]dll module of the SolarWinds Orion application.
- The changes were made possible by taking advantage of an authentication bypass vulnerability in the Orion API (CVE-2020-10148), allowing the user to execute unauthenticated API commands.
Techniques employed by the APT group
It was able to dump credentials from the SolarWinds appliance via employing two methods:
- First, the gang used Export-PfxCertificate to collect cached credentials used by the SolarWinds appliance server and network monitoring (Unsecured Credentials: Private Keys [T1552.004]).
- In the second method, the APT group placed a copy of procdump[.]exe (Ingress Tool Transfer [T1105]) masked as the entity’s logging infrastructure, splunklogger[.]exe (Masquerading: Rename System Utilities).
The investigation into this matter is ongoing and the CISA has recommended organizations to follow the right practices. For instance, use MFA for privileged accounts, enforce strong password policies, enable firewalls to filter unsolicited connection requests, and also secure RDP endpoints along with any other remote access solutions to stay protected.