Security News > 2021 > March > SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers

A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group.

The findings were also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a.NET web shell implemented by modifying an "App web logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.

According to Secureworks Counter Threat Unit researchers - who discovered the malware in November 2020 while responding to a hack in one of its customers' networks - "The immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network."

"CTU researchers were initially unable to attribute the August activity to any known threat groups," the researchers said.

More solid evidence arrived in the form of an IP address that geolocated to China, which the researchers said came from a host that was used by the attackers to run Secureworks's endpoint detection and response software for reasons best known to the threat actor, suggesting the software may have been stolen from the compromised customer.

"The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure," the researchers detailed.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/Mnwl5OH0_Uw/solarwinds-hack-new-evidence-suggests.html