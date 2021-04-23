The China-based Spiral Group is believed to be behind a year-long attack, which exploited a flaw in SolarWinds Orion technology to abandon a web shell.

Members of an Advanced Persistent Threats (APT) group, posing as telecommuters with legitimate credentials, gained access to a US organization’s network and implanted a backdoor called Supernova on its server. SolarWinds Orion to perform reconnaissance, domain mapping and data theft.

The attackers had access to the network for nearly a year, from March 2020 to February 2021, before being discovered and blocked, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday in a summary report. the conclusions of its investigation. in the incident.

The report is the latest on SolarWinds and its Orion network management server technology. However, the Supernova tool and the APT group behind it are distinct from the group that used legitimate software updates from Orion to distribute malware dubbed Sunburst to 18,000 organizations around the world. Last week, the US government officially attributed the widely reported attack – described by many as one of the most sophisticated of all time – to the Russian foreign intelligence service, SVR.

CISA malware scan report, which includes indicators of compromise and mitigation recommendations, did not attribute the Supernova attack to any specific group or country. However, others, like Secureworks, who recently investigated similar intrusions have attributed Supernova and its operators to Spiral, a suspected China-based threat group. Only a small handful of organizations are known to have been infected with Supernova, at least so far.

In its report, CISA describes the incident as likely to start last March, when attackers connected to the anonymous US entity’s network through a Pulse Secure virtual private network (VPN) appliance. CISA’s investigation showed that the attackers used three residential IP addresses to access the VPN appliance. They authenticated there using valid user accounts, none of which were protected by multi-factor authentication. CISA said it was unable to determine how the attackers obtained the credentials. VPN access allowed attackers to impersonate legitimate remote employees of the organization.

Once the attackers gained initial access to the victim network, they moved it sideways to the SolarWinds Orion server and installed Supernova, a .Net web shell, there. As was the case with the handful of other breaches involving Supernova, the attackers appear to have exploited an authentication bypass flaw (CVE-2020-10148) in the SolarWinds Orion API to run a PowerShell script to run the web shell.

CISA believes the threat actor exploited CVE-2020-10148 to bypass authentication to the SolarWinds appliance, then used the SolarWinds Orion API to run commands with the same privileges as the SolarWinds appliance ( in this case, SYSTEM) “, explained CISA.

Unlike the Sunburst backdoor associated with the Russian campaign, the attackers did not integrate Supernova into Orion technology. Instead, they installed the malware on servers running Orion by exploiting CVE-2020-10148. Once installed, the attackers used the web shell to dump SolarWinds server credentials. Weeks later, the adversary logged in again through the VPN appliance and attempted to use the stolen credentials to gain access to an additional workstation. On another occasion, the threat actor used Windows Management Instrumentation and other legitimate utilities to collect information about the running process in order to collect, archive and exfiltrate the data.

Compliant with other attacks

Don Smith, senior director of Secureworks’ threat countermeasures unit, said the timeline, tools, tactics and procedures outlined by CISA this week are consistent with the company’s own findings at the end. of his investigation into two intrusions into a client’s home.

The report corroborates “our assessment that the two intrusions we responded to in the same organization were both perpetrated by the same threat actor, [(Spiral aka Bronze Spiral]Smith says.

These TTPs included initial access through the exploitation of systems vulnerable to the Internet, he says. It also includes “the deployment of the Supernova web shell, the theft of credentials, the continued access through VPN services using legitimate credentials, the deployment of other renowned tools to hide their function, and the use of compromised infrastructure for command and control, ”says Smith.

The Supernova campaign was very focused and appears to have reached only a very small number of organizations. However, it serves as an example of how adversaries constantly seek to exploit vulnerabilities that they can exploit for initial access. Once established on a network, these threats can be difficult to eliminate, notes Smith.

“We also have to remember that it doesn’t take long for other more opportunistic threats like ransomware operators to take hold of exploits once they become public and seek to use them for their own benefit, to which case any organization is a potential target, ”he said.

