A Chinese threat group has presumably deployed a malicious web shell on Windows systems by leveraging a zero-day in SolarWinds’ Orion network monitoring software. Secureworks reported that the cybersecurity firm attributed the malicious intrusions to a hacker, whom they named Spiral. Microsoft revealed on 22nd Dec,20 that a second hacking group may have been exploiting the IT infrastructure provider’s Orion software to drop a persistent backdoor named Supernova.
Cybersecurity firms Palo Alto Network’s Unit 42 threat intelligence group and GuidePoint Security verified the findings, and both described Supernova as a .NET web shell implemented by modifying an “appweblogoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application. These changes could be done not by cracking the SolarWinds app update infrastructure but rather by leveraging an authentication bypass vulnerability in the Orion API tracked as [CVE-2020-10148] This, in turn, permits a remote hacker to execute unauthenticated API commands.
"Unlike Solorigate [aka Sunburst], this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise," Microsoft had stated.
According to the researchers of Secureworks Counter Threat Unit (CTU), "the immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network."
The Sunburst campaign had been formally linked to Russia but the origins of Supernova are yet unknown. As the investigation continued, similarities were found between the incident and that of a former intrusion activity uncovered on August,20. "CTU researchers were initially unable to attribute the August activity to any known threat groups," the researchers stated. "However, the following similarities to the Spiral intrusion in late 2020 suggest that the Spiral threat group was responsible for both intrusions."
The Chinese link can be established as the attacks targeting ManageEngine servers have been connected to various hacking groups in the country. And apart from that the modus operandi of abusing long-term persistence to gather sensitive information, exfiltrate credentials, and plunder intellectual property, also corroborate the connection with China.
However, more reliable evidence was brought in the form of an IP address that geolocated in China. The researchers said that the IP address came from a host that was exploited by the hackers to operate Secureworks’ endpoint detection and response software. This further suggested that the software may have been stolen from the victim’s compromised computer.
"The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure," the researchers detailed. "The exposure of the IP address was likely unintentional, so its geolocation supports the hypothesis that the Spiral threat group operates out of China."
On December 23, 2020, SolarWinds, in fact, had addressed Supernova in an update to Orion Platform released.