Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

What We Know (and Don't Know) So Far About the 'Supernova' SolarWinds Attack

A look at the second elusive attack targeting SolarWinds software that researchers at Secureworks recently cited as the handiwork of Chinese nation-state hackers.

It's mostly been overshadowed by the massive and brazen supply chain breach of the SolarWinds Orion software-build process — the lesser-known Supernova cyberattack also remains a bit of a mystery. Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce.

Related Content:

What You Need to Know -- or Remember -- About Web Shells

Special Report: How Data Breaches Affect the Enterprise

New From The Edge:What You Need to Know -- or Remember -- About Web Shells

Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."

Supernova first came to light during FireEye's investigation into the Orion software-update attack (aka Sunburst, Solorigate) back in December, and at first it was mistakenly believed to be part of the supply chain attack campaign. Microsoft soon thereafter revealed that Supernova indeed was not part of the supply chain attack.

It's likely coincidental that two separate nation-states were targeting the same software, albeit in very different ways, experts say. "I think it's a coincidence" that both the Chinese and Russian advanced persistent threats (APTs) both targeted SolarWinds software in their attacks, notes Mike McLellan, director of intelligence at Secureworks. And the high-profile discovery of the attack from Russia may have "burned" China's parallel operation for now, too, he says.

That could explain the dearth of additional activity reported by researchers on Supernova: The attackers may have halted the Orion attack and sought other ways to quietly target and spy on their victims.

It's not unusual for multiple nation-state attacker groups to target the same victim organization, nor even to reside concurrently and unbeknownst to one another while conducting their intelligence-gathering operations. But Supernova and the Orion supply chain attack demonstrate how nation-states also can have similar ideas yet different methods regarding how they target and ultimately burrow into the networks of their victims.

Supernova homed in on SolarWinds' Orion by exploiting a flaw in the software running on a victim's server; Sunburst did so by inserting malicious code into builds for versions of the Orion network management platform. The digitally signed builds then were automatically sent to some 18,000 federal agencies and businesses last year via a routine software update process, but the attackers ultimately targeted far fewer victims than those who received the malicious software update, with fewer than 10 federal agencies affected as well as some 40 of Microsoft's own customers. US intelligence agencies have attributed that attack to a Russian nation-state group, and many details of the attack remain unknown.

Supernova took a more traditional, yet stealthy, approach to leveraging Orion's lucrative mapping and tracking features of a victim's network. "Supernova was looking for SolarWinds on the [victim's] network and compromising them from there," explains Secureworks' McLellan.

"The Russian activity comes from the SolarWinds network," he says of the supply chain attack using Sunburst. "That's the key difference."

Ben Read, FireEye Mandiant Threat Intelligence's director of analysis, agrees that the two attacks were separate and unrelated — with different victims. "We have no indication one operation knew about the other," he says. The widespread adoption of the Orion software may well have made it a "compelling target" for multiple state intelligence agencies to use in their attacks, he says.

Microsoft recently renamed the supply chain attack and the attackers behind it as Nobelium.

The Targets
Reuters first reported about a China nexus for the Supernova attack in early February, identifying the US Department of Agriculture (USDA)'s National Finance Center (NFC) as a target of the Supernova attackers. But the USDA disputed reporting that that NFC had been breached.

When contacted by Dark Reading about the Supernova attack, USDA reiterated that it had "no evidence" that NFC suffered a data breach, but it was still investigating.

"In compliance with [the Cybersecurity and Infrastructure Security Agency]'s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise. While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center," the agency said in a statement in response to inquiries by Dark Reading.

The agency did not provide any further details, so it remains unclear exactly if or how the agency's Orion implementation was affected.

The Supernova victim that Secureworks investigated was a private-sector organization in the US, according to the security firm. "We're limited in what we can say about the victim," Secureworks' McLellan says. "Information theft was the target: information related to their clients, customers."

SolarWinds, meanwhile, says it knows of one victim of the Supernova attack, according to a company spokesperson. "That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer's network," the spokesperson says, noting that the flaw since has been patched. "Supernova was neither signed nor delivered by SolarWinds, and the issue was addressed in Orion platform updates that were released in December."

SolarWinds did not disclose any additional details about the victim.

How It Works
Supernova contains two malware components: a Web shell, an unsigned Windows .dll file crafted to appear as legitimate code on Orion (app_web_logoimagehandler.ashx.b6031896.dll); and an exploit that abused the previously unknown API authentication bypass flaw (CVE-2020-10148) that was used to run the Web shell.

The now-patched vuln let an attacker run commands without authenticating to the API; the Supernova attackers used it to install the Web shell into the victims' Orion software running on their internal severs.

Secureworks found a link between Supernova and a previous attack on one of its clients, which it detailed in a blog post earlier this month.

The Spiral team exploited the API authentication flaw on Orion to drop the Supernova Web shell onto the victim's internal SolarWinds server such that it could then remotely run its own commands on the server. It then moved laterally to two hosts: a domain controller for harvesting credentials, according to Secureworks, and then a server that provided access to sensitive information about the business. The attackers appeared to know the network layout, given the speed and targeting of the servers; Secureworks incident responders thwarted further infiltration of the network.

"There was malicious activity on the SolarWinds server on this client's network," which Secureworks then found had exploited an API bypass vulnerability, says Marc Burnard, a senior information security researcher with Secureworks.

"They used that vuln to drop the Supernova Web shell onto the SolarWinds server and began interacting with it to run commands on the server."

They then moved laterally to a domain controller to steal credentials and another server that could have given them access to client data, he says.

The victim organization had suffered an attack in early 2020 with some similar characteristics, according to Secureworks: The attackers exploited one of the organization’s public-facing ManageEngine ServiceDesk servers, silently grabbing domain credentials over a period of nearly two years, and then in August 2020, stealing credentials from two of the victims' servers to steal files from their Office 365 SharePoint and OneDrive cloud applications.

Secureworks matched the two attacks to the same threat actor because of the similar techniques involved: The attackers used the same commands and output file paths in the Microsoft Windows Local Security Authority Subsystem Service (LSASS), the same directory name, and a domain controller and a server to reach valuable business information. And three compromised admin accounts were used in both attacks.

Wes Riley, incident response operations and technical lead at ‎GuidePoint Security, recently analyzed the Supernova Web shell. Riley says that although the Supernova code was not especially sophisticated, it was "elegant." The Web shell is memory-resident, and the attackers used an existing API to set up their access to gathering intel.

The Supernova Web shell poses as a SolarWinds Web service, displaying the Orion logo image. "The purpose of the file is just to grab an image ... to pull the logo for SolarWinds [Orion] and present it," he explains. "Other Web pages on that Web UI will call that file and grab the image." Placing the malicious code there was elegant and stealthy, he says.

Riley doesn't consider the SolarWinds API vulnerability that the attackers exploited a true zero-day bug. "It's a gray area," he says. The attackers basically abused a function of the software and its application programming interface. "They found a location in the software where a forward-facing page will call a function," he says.

Secureworks researchers say aside from similar characteristics of Supernova with other nation-state actors out of China, they were able to tie the two attacks on their customer to China via a small but significant misstep the attackers made: exposing an IP address. "A Secureworks endpoint detection and response (EDR) agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China," according to Secureworks' findings.

GuidePoint's Riley says Supernova's use of a Web shell rings of a Chinese nation-state operation. He says it reminds him of the way the so-called Shellcrew (aka Deep Panda) APT group operates, but he didn't have firsthand knowledge of the attackers nor was he focused on attribution in his analysis.

"The only similarities I saw with other attack groups I've seen or dealt with is more from the approach," Riley notes. Shellcrew, for instance, "is really adept at" planting malicious code along the callpath of large Web applications, he says.

Charity Wright, a cyber-threat intelligence analyst at RecordedFuture who specializes in China, says she and her team were suspicious when China basically "sat out" of election-meddling operations against during the 2020 US presidential campaign; the researchers figured Chinese nation-state hacking teams "were preparing something big." It turns out they were, she says, pointing to the recently revealed widespread Microsoft Exchange Server zero-day attacks as well as Supernova, although Wright says RecordedFuture could not directly confirm Supernova came from China.

Secureworks so far is the only team to publicly name China in the attacks. "While we can't independently verify the activity witnessed by Secureworks in their engagements, this would not be the first time an attacker missteps and inadvertently tips their hand," says J.A. Guerrero-Saade, principal threat researcher at SentinelOne, of the discovery by Secureworks. "Regardless, attribution based entirely on cyber indicators is notoriously fungible and should be handled with caution."

A Spiral Comeback?
Nation-states are known to leave monitoring tools in place for re-entry, Secureworks' McLellan says, or to regroup and return with a different exploit if they get discovered. "We imagine this group may reappear. They've been around since 2018; we expect them to come back with some other way of gaining access."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/7/2021 | 7:53:58 PM
The Enemy of My Enemy is My Friend
I believe the attacks could very well have been initiated by both Russia and China at the same time. And I also believe the primary target for Solar Winds was The US Treasury. I think the rest was collateral damage possibly with the exception of FireEye.

Russia has decided that they cannot compete with the United States on their own so they look to China as an ally. China does not see Russia as a threat so why not work with Russia to attack America any way they can?

Russia and China have figured out that they can do more damage to the United States economy with fewer repercussions through cyberwarfare then they can by firing missiles or dropping bombs. Just look at the recent incident where a ship got stuck in the Suez Canal. It backed up hundreds of ships costing Billions of dollars a day in maritime commerce. I have no evidence that this was caused by a cyber event but think how much easier it is to hack a container ships navigation system then to hack the Pentagon for instance. But the damage done and the cost associated will impact the United States to some degree. 

China is playing the long game and Xi Jinping has to consider what implications its actions may have as far as their relationship with the rest of the world. Putin just wants to go back to the good old days where the Soviet Union was truly a world power. People forget that Russia's economy is about the same size as France. The only reason they have leverage is due to the number of nuclear weapons they possess.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the ...
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user...
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions ar...
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
PUBLISHED: 2021-10-21
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this ad...