The Cybersecurity and Infrastructure Security Agency (CISA) has released new malware analysis on Supernova that affects unpatched SolarWinds Orion software.
It is also important to point out that Supernova was not embedded within the Orion platform as a supply chain attack. However, attackers installed the malware directly on systems hosting SolarWinds Orion and disguised the malware as part of the SolarWinds product.
The DHS CISA report described Supernova in the new Malware Analysis Report (AR21-027A):
“This report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA, a malicious webshell backdoor. SUPERNOVA is embedded in a trojanized version of the Solarwinds Orion Web Application module called ‘App_Web_logoimagehandler.ashx.b6031896.dll.’ The SUPERNOVA malware allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory.”
SolarWinds previously released an updated security advisory on the Supernova malware, a separate threat vector from the previously reported supply chain cyberattack that was based on Sunburst backdoor malware. The update also included new information on the 0-day CVE-2020-10148 and Proof of Concept (PoC) demo.
On a related note, CISA also warned the recent compromise by threat actors of SolarWinds posed a ‘grave risk’ to critical infrastructure, government and private sector organizations.
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- DHS issues new emergency guidance on SolarWinds Orion Code compromise
- SolarWinds releases updated advisory on SUPERNOVA malware (updated with CVE-2020-10148)
- Cybersecurity experts reveal growing list of SolarWinds 2nd stage attack victims
- Solorigate malware behind the SolarWinds attack
- CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)