SolarWinds has released an updated security advisory on SUPERNOVA malware, a separate threat vector from the previously reported supply chain cyberattack that was based on SUNBURST backdoor malware.
New information has also emerged on the SolarWinds Orion API authentication bypass vulnerability CVE-2020-10148, to include postings from AttackerKB and a 0-day proof of concept (PoC) on GitHub.
According to SolarWinds, SUPERNOVA is malware placed on a server that allows an actor to gain unauthorized access to the SolarWinds customer’s network.
“The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll ‘app_web_logoimagehandler.ashx.b6031896.dll’ specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates,” SolarWinds explained in the advisory.
More information on SUPERNOVA was also published in previous blog posts by Microsoft and Palo Alto Network’s Unit 42. Both of these companies confirmed the threat actors behind SUPERNOVA were likely different from those behind the SUNBURST supply chain cyberattacks.
Moreover, the malware was likely dropped by a third party actor and disguised as a legitimate SolarWinds product.
“The attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network. The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically,” explained the Unit 42 cybersecurity experts.
SUPERNOVA is yet another threat added to SUNBURST, a backdoor malware used as part of a compromised supply chain attack.
Since the original reports were published, researchers have since added new advisories on the SolarWinds Orion API authentication bypass vulnerability.
Assigned CVE-2020-10148, this vulnerability can lead to remote code execution.
“This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance,” wrote the CERT Coordination Center in a new advisory.
Furthermore, AttackerKB explained that CVE-2020-10148 was discovered after an investigation, which led to the identification of a web shell on an affected victim. The bad actors used the SolarWinds API 0-day vulnerability to install the SUPERNOVA malware.
It is important to note this vulnerability is rated 9.8 and also includes a PoC demo of how to exploit the vulnerability on GitHub.
SolarWinds backdoor threat
On December 17, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) had warned the SolarWinds supply chain attack posed a ‘grave risk’ to critical infrastructure, government and private sector organizations.
At that time, the cybersecurity experts said the threat actor had “demonstrated sophistication and complex tradecraft in these intrusions.” The actors also possess a strong knowledge of how to exploit software supply chains and Windows networks.
The CISA alert came after they issued an Emergency Directive 21-01 on December 13 and SolarWinds security advisory, in response to malicious actors exploiting SolarWinds Orion products.
A key component of SolarWinds is the digitally-signed component of the Orion software framework — SolarWinds.Orion.Core.BusinessLayer.dll. This DLL contained the SUNBURST backdoor malware, that communicates via HTTP to third party systems.
As a result, many SolarWinds companies that downloaded Orion product updates were compromised, to include a growing list of SolarWinds second stage attack victims.
Readers can check out Related Articles for additional articles related to SolarWinds and other supply chain cyberattacks.
Original posting on December 28, 2020.
Update on December 29, 2020: Added new details on SolarWinds Orion API authentication bypass vulnerability CVE-2020-10148, to include postings from AttackerKB and GitHub PoC.
- Solorigate malware behind the SolarWinds attack
- Cybersecurity experts reveal growing list of SolarWinds 2nd stage attack victims
- CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)
- Global active exploits against SolarWinds via Sunburst backdoor
- DHS warns businesses of risks using Chinese tech and data services