Security News > 2021 > March > SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group.
The findings were also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a.NET web shell implemented by modifying an "App web logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.
According to Secureworks Counter Threat Unit researchers - who discovered the malware in November 2020 while responding to a hack in one of its customers' networks - "The immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network."
"CTU researchers were initially unable to attribute the August activity to any known threat groups," the researchers said.
More solid evidence arrived in the form of an IP address that geolocated to China, which the researchers said came from a host that was used by the attackers to run Secureworks's endpoint detection and response software for reasons best known to the threat actor, suggesting the software may have been stolen from the compromised customer.
"The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure," the researchers detailed.
News URL
Related news
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control (source)
- Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs (source)
- Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East (source)
- Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks (source)
- Chinese hackers use new data theft malware in govt attacks (source)
- Chinese hackers linked to cybercrime syndicate arrested in Singapore (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign (source)
- Iranian hackers charged for ‘hack-and-leak’ plot to influence election (source)