![[Update] Researchers Investigating SolarWinds Hack Finds Possible Link to China: Supernova Malware Detected](https://1734811051.rsc.cdn77.org/data/images/full/381627/update-researchers-investigating-solarwinds-hack-finds-possible-link-to-china-supernova-malware-detected.png)
Researchers working in the Counter Threat Unit or CTU over at Secureworks have recently discovered a new and possible link towards China while still examining just how SolarWinds servers were apparently used to deploy critical malware.
.NET Supernova malware
According to an article by TechRadar, during the end of last year, a particularly compromised internet-facing SolarWinds server was reportedly used as a sort of springboard by hackers in order to deploy the cunning .NET web shell Supernova malware. Based on other similar intrusions that occurred on the reported same network, it actually appears that the Chinese-based Spiral threat group is now thought to be responsible for both of the cases.
The authentication bypass vulnerability in the given SolarWinds Orion API was tracked as CVE-2020-10148 and also can lead to other remote execution of the said API commands have reportedly been exploited by Spiral actively, according to Secureworks' report. When vulnerable servers are first detected then exploited, a new script that is capable of writing the whole Supernova web shell to disk is then deployed using a new PowerShell command.
Advanced web shell used
The Supernova is reportedly written in .NET and is an advanced web shell capable of maintaining persistence even on a compromised machine as well as able to still compile certain methods, arguments, and also code data in-memory. This was according to a post coming from Palo Alto Network's very own Unit 42.
During a particular incident that was observed by Secureworks that recently occurred some time last August, Supernova was reportedly used by Spiral in order to perform some kind of reconnaissance, domain mapping in order to be able to steal both the credentials and the information coming from ManageEngine ServiceDesk server. This particular incident actually shares some similarities to the recent one that had occurred some time in November and was also analyzed by the firm's very own Counter Threat Unit.
Chinese Spiral threat group
While the two reported cases are actually believed to be the work of the Chinese Spiral threat group, there is still no direct link tying it up to the enormouse SolarWinds hack that had happened some time in December of last year. In order to prevent falling victim towards future attacks by the Spiral threat group, Secureworks recommends that the high profile organizations use the available controls in order to restrict access to a number of IP addresses that point directly towards the threat group's reported C&C servers.
SolarWinds hack
According to an article by KrebsonSecurity, back in Dec 13, SolarWinds had actually acknowledged that the hackers had been able to insert malware directly into a service that had been providing software updates for its supposed Orion platform. The platform was reportedly a suite of products that were used well across the US government as well as other Fortune 500 firms in order to monitor the health of their very own IT networks.
On December 14, it was noted that roughly 33,000 of over 300,000 customers were actually Orion customers. It was also noted that less than 18,000 customers might have installed the Orion product containing a certian malicious code.
Related Article: [UPDATE] SolarWinds Executive Blames Intern for Leaking Company Password 'solarwinds123:' The Password Used Since 2017
This article is owned by Tech Times
Written by Urian Buenconsejo
