Security News > 2021 > March > Hackers hiding Supernova malware in SolarWinds Orion linked to China

Intrusion activity related to the Supernova malware planted on compromised SolarWinds Orion installations exposed on the public internet points to an espionage threat actor based in China.

Unlike the malware used in the SolarWinds supply-chain attack [1, 2, 3], which was embedded in the Orion software builds from the developer, the Supernova web shell ended inside the platform after hackers exploited a critical vulnerability in product installations reachable over the public web.

The intrusion vector was a SolarWinds Orion API authentication bypass that allowed the attacker to execute a reconnaissance script and commands and drop the Supernova web shell 30 minutes later.

After planting Supernova in SolarWinds Orion by trojanizing a legitimate file the platform used, the attacker used the comsvcs.

Update : SolarWinds reached out to BleepingComputer with a statement to clarify that Supernova is malware planted in the Orion software present on the customer network and not part of the supply-chain attack attributed to Russian hackers.

"This report references an incident where a network was first compromised in a way that was unrelated to SolarWinds. That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer's network. It is important to note that Supernova is not associated with the broad and sophisticated supply chain attack that targeted multiple software companies as vectors. Supernova was neither signed nor delivered by SolarWinds and the issue was addressed in Orion platform updates that were released in December" - SolarWinds.

News URL

https://www.bleepingcomputer.com/news/security/hackers-hiding-supernova-malware-in-solarwinds-orion-linked-to-china/