Hackers Exploit VPN to Deploy SUPERNOVA malware on SolarWinds Orion

Hackers Exploit VPN
Share It On:

25th April 2021, Kathmandu

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed details of a new advanced persistent threat (APT) that’s leveraging the Supernova backdoor to compromise SolarWinds Orion installations after gaining access to the network through a connection to a Pulse Secure VPN device.

“The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET web shell), and collected credentials,” the agency said on Thursday.

CISA said it identified the threat actor during an incident response engagement at an unnamed organization and found that the attacker had access to the enterprise’s network for nearly a year through the use of the VPN credentials between March 2020 and February 2021.

Interestingly, the adversary is said to have used valid accounts that had multi-factor authentication (MFA) enabled, rather than an exploit for a vulnerability, to connect to the VPN, thus allowing them to masquerade as legitimate teleworking employees of the affected entity.

In December 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider’s Orion software to drop a persistent backdoor called Supernova on target systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.

Unlike Sunburst and other pieces of malware that have been connected to the SolarWinds compromise, Supernova is a .NET web shell implemented by modifying an “app_web_logoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application. The modifications were made possible by leveraging authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, in turn permitting a remote attacker to execute unauthenticated API commands.

An investigation into the incident is ongoing. In the meantime, CISA is recommending organizations to implement MFA for privileged accounts, enable firewalls to filter unsolicited connection requests, enforce strong password policies, and secure Remote Desktop Protocol (RDP) and other remote access solutions.


Share It On:

Recent Posts

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future Plans

Liberty Energy Rights Shares Offering: Eligibility, Application Process, and Future

Share It On:22nd November 2024, Kathmandu Liberty Energy Company Limited is gearing up to issue rights shares starting December 1,

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Asha Laghubitta’s 8th AGM 2024: Key Decisions and Future Plans

Share It On:22nd November 2024, Kathmandu Asha Laghubitta Bittiya Sanstha is holding its 8th Annual General Meeting (AGM) today, November

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and Reproductive Health Policies

6th Asian Population Conference 2024 in Nepal: Advancing Sexual and

Share It On: 21st November, Kathmandu Nepal is set to host the 6th Asian Population Conference from November 27 to

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Kumari Bank Promoter Share Sale: Eligibility, Application Process, and Price

Share It On:21st November, Kathmandu Kumari Bank Limited has officially declared its intention to sell a substantial number of promoter

Up to NPR 150 Cashback on Nepal Telecom and Ncell Services with Namaste Pay

Up to NPR 150 Cashback on Nepal Telecom and Ncell

Share It On:21st November, Kathmandu Namaste Pay has unveiled an exciting new campaign to reward its users with cashback on

Ncell introduces innovative feature, enabling customers to convert voice to data or data to voice services

Ncell introduces innovative feature, enabling customers to convert voice to

Share It On:21st November, Kathmandu Ncell customers can enjoy an innovative feature that allows them to convert or exchange remaining