In late 2020, Secureworks® Counter Threat Unit™ (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU™ researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China.
SPIRAL threat group’s SUPERNOVA deployment
During a November 2020 incident response engagement, Secureworks analysts observed a threat actor exploiting a vulnerability in the SolarWinds Orion Platform to deliver the SUPERNOVA web shell. CTU analysis indicates that this activity is unrelated to the SUNBURST supply chain attack that trojanized the SolarWinds Orion business software updates. CTU researchers attribute the SUPERNOVA activity to the SPIRAL espionage group.
The threat actor exploited a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148) to execute a reconnaissance script and then write the SUPERNOVA web shell to disk (see Figure 1).
Figure 1. Sample HTTP POST requests sent to the SolarWinds server and corresponding commands executed on the host. (Source: Secureworks)
The reconnaissance script consisted of a series of commands concatenated using “&”. The script wrote the output to C:inetpubSolarWindslicense.txt (see Figure 2).
Figure 2. Reconnaissance script executed by exploiting CVE-2020-10148. (Source: Secureworks)
The SUPERNOVA web shell was written to disk using a PowerShell command (see Figure 3). SUPERNOVA is written in .NET C# and is a trojanized version of the legitimate DLL (app_web_logoimagehandler.ashx.b6031896.dll) used by the SolarWinds Orion Platform.
..
Support the originator by clicking the read the rest link below.
