Go to listing page

An APT Group Exploits VPN to Deploy Supernova on SolarWinds Orion

An APT Group Exploits VPN to Deploy Supernova on SolarWinds Orion
The CISA has issued an alert about a new APT group that has been leveraging the Supernova backdoor to compromise SolarWinds Orion installations. The group gains access to the network by establishing a connection to a Pulse Secure VPN device.

What has been discovered?

CISA spotted the APT group during an incident response engagement at an unnamed organization. Between March 2020 and February 2021, the attacker gained access to the enterprise network via VPN credentials.
  • The threat actor used valid accounts that had MFA enabled, instead of exploiting a vulnerability, to connect to the VPN. It allowed them to disguise themselves as genuine teleworking employees of the impacted entity.
  • In December 2020, Microsoft had revealed information about a second espionage group abusing the IT infrastructure provider's Orion software to deploy a persistent backdoor, Supernova, on target systems.
  • The Supernova .NET web shell was deployed by making changes to the app_web_logoimagehandler[.]ashx[.]b6031896[.]dll module of the SolarWinds Orion application.
  • The changes were made possible by taking advantage of an authentication bypass vulnerability in the Orion API (CVE-2020-10148), allowing the user to execute unauthenticated API commands.

Techniques employed by the APT group

It was able to dump credentials from the SolarWinds appliance via employing two methods:


The investigation into this matter is ongoing and the CISA has recommended organizations to follow the right practices. For instance, use MFA for privileged accounts, enforce strong password policies, enable firewalls to filter unsolicited connection requests, and also secure RDP endpoints along with any other remote access solutions to stay protected.

Cyware Publisher