Security News > 2021 > April > APT Abuses Pulse Secure, SolarWinds Appliances at the Same Organization
The U.S. government's Cybersecurity and Infrastructure Security Agency has raised an alarm for a new cyberattack in which both a Pulse Secure VPN appliance and the SolarWinds Orion platform were abused for malicious purposes.
Both the Pulse Secure virtual private network appliances and the SolarWinds platform are known targets for threat actors: the former for initial access to an environment, and the latter for performing supply chain attacks.
As part of the incident, the threat actors that orchestrated the attack deployed onto the SolarWinds platform a piece of malware called.
From at least March 2020 through February 2021, CISA says, the APT leveraged several user accounts enabled) to connect to the victim environment via Pulse Secure VPN. The attackers then moved laterally to the SolarWinds Orion appliance and deployed the Supernova webshell to "Dynamically inject C# source code into a web portal provided via the SolarWinds software suite."
"CISA had not observed the threat actor using privileged accounts prior to the credential dumps, and the account being used to connect to the SolarWinds appliance did not have sufficient privilege to access it," the Agency says.
The APT connected to the environment on several occasions, attempted to use dumped SolarWinds credentials, as well as to further harvest and exfiltrate credentials.