What We Know (and Don’t Know) So Far About the ‘Supernova’ SolarWinds Attack
March 30, 2021 – Article posted on Dark Reading
It’s mostly been overshadowed by the massive and brazen supply chain breach of the SolarWinds Orion software-build process — the lesser-known Supernova cyberattack also remains a bit of a mystery. Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds’ Orion network management software, so far have been scarce.
…Researchers have tied the Supernova attacks to a previously unknown Chinese nation-state group named “Spiral”…
…Supernova first came to light back in December and was originally thought to be related to the SolarWinds supply chain attack, although soon thereafter Microsoft revealed that it was not part of that attack…
…It’s not unusual for multiple nation-state attacker groups to target the same victim organization, nor even to reside concurrently and unbeknownst to one another while conducting their intelligence-gathering operations. But Supernova and the Orion supply chain attack demonstrate how nation-states also can have similar ideas yet different methods regarding how they target and ultimately burrow into the networks of their victims…
…Wes Riley, incident response operations and technical lead at GuidePoint Security, recently analyzed the Supernova Web shell. Riley says that although the Supernova code was not especially sophisticated, it was “elegant.” The Web shell is memory-resident, and the attackers used an existing API to set up their access to gathering intel.
The Supernova Web shell poses as a SolarWinds Web service, displaying the Orion logo image. “The purpose of the file is just to grab an image … to pull the logo for SolarWinds [Orion] and present it,” he explains. “Other Web pages on that Web UI will call that file and grab the image.” Placing the malicious code there was elegant and stealthy, he says.
Riley doesn’t consider the SolarWinds API vulnerability that the attackers exploited a true zero-day bug. “It’s a gray area,” he says. The attackers basically abused a function of the software and its application programming interface. “They found a location in the software where a forward-facing page will call a function,” he says…
Read More HERE.