Security News > 2021 > April > Hackers Exploit VPN to Deploy SUPERNOVA malware on SolarWinds Orion
The U.S. Cybersecurity and Infrastructure Security Agency has disclosed details of a new advanced persistent threat that's leveraging the Supernova backdoor to compromise SolarWinds Orion installations after gaining access to the network through a connection to a Pulse Secure VPN device.
"The threat actor connected to the entity's network via a Pulse Secure virtual private network appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA, and collected credentials," the agency said on Thursday.
CISA said it identified the threat actor during an incident response engagement at an unnamed organization and found that the attacker had access to the enterprise's network for nearly a year through the use of the VPN credentials between March 2020 and February 2021.
In December 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems.
Unlike Sunburst and other pieces of malware that have been connected to the SolarWinds compromise, Supernova is a.NET web shell implemented by modifying an "App web logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.
The modifications were made possible by leveraging an authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, in turn permitting a remote attacker to execute unauthenticated API commands.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/LE_Df1CsM5o/hackers-exploit-vpn-flaw-to-deploy.html
Related news
- Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware (source)
- Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics (source)
- Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware (source)
- ⚡ Weekly Recap: Windows 0-Day, VPN Exploits, Weaponized AI, Hijacked Antivirus and More (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-29 | CVE-2020-10148 | Missing Authentication for Critical Function vulnerability in Solarwinds Orion Platform 2019.4/2020.2/2020.2.1 The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. | 9.8 |