The attacker may have used an authentication bypass vulnerability in SolarWinds Orion software as a 0-day vulnerability to deploy SuperNova malware in the target environment.
According to a security bulletin issued by the US CERT/CC on December 26, the SolarWinds Orion API used to connect with all other Orion system monitoring and management products has a security vulnerability (CVE-2020-10148), which can be exploited by remote attackers. The vulnerability executes unauthenticated API commands to compromise SolarWinds instance.
The announcement pointed out that by including specific parameters in the Request.PathInfo part of the URI sent to the API, the API authentication can be bypassed.
In particular, if the attacker attaches the PathInfo parameter of’WebResource.adx’,’ScriptResource.adx’,’i18n.ashx’ or’Skipi18n’ to the request sent to the SolarWinds Orion server, SolarWinds will set the SkipAuthorization flag, which may be Causes the API request to be processed without authentication.
SolarWinds updated its previous security bulletin on December 24, stating that attackers can deploy malware by exploiting a vulnerability in the Orion Platform. However, the details of the vulnerability have not yet been fully disclosed.
Last week, Microsoft disclosed a second threat actor, which may have abused SolarWinds Orion software to deliver another malware, SuperNova, on the target system.
This was also confirmed by the Palo Alto Networks Unit 42 threat intelligence team and GuidePoint Security. Both security companies describe it as a .NET web shell, implemented by modifying the “app_web_logoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application.
Although the legitimate purpose of the DLL is to return the logo image configured by the user to other components of the Orion web application through an HTTP API, the malware allows it to receive remote commands from a server controlled by the attacker and log on that server. The command is executed in memory in the context of the user.
Researchers from the Unit 42 team pointed out that SuperNova is novel and powerful because of its execution in memory, the complexity of its parameters and execution, and the flexibility of a complete programming API through the .NET runtime.
The SuperNova web shell is said to be delivered by an unknown third-party actor, which is different from the SunBurst actor (UNC2452) because, unlike SunBurst DLL, the aforementioned DLL is not digitally signed.
Government agencies and cybersecurity experts are working hard to understand the full consequences of the attack and piece together a global intrusion that could sweep 18,000 SolarWinds customers.
FireEye, the first company that discovered SunBrust implanted software, stated in an analysis article that once legal remote access is achieved, the actors behind the espionage operation usually remove their tools, including backdoors. This means a high degree of technological maturity and attention to operational safety.
Evidence discovered by ReversingLabs and Microsoft shows that the key building blocks used to attack SolarWinds were in place as early as October 2019, when the attackers added a regular software update with harmless modifications to merge with the original code , Followed by malicious modifications to enable it to launch further attacks and steal data against SolarWinds customers.
The current version of SolarWinds Orion Platform provided by the manufacturer includes:
2019.4 HF 6 (released on December 14, 2020)
2020.2.1 HF 2 (released on December 15, 2020)
2019.2 SUPERNOVA Patch (released on December 23, 2020)
2018.4 SUPERNOVA Patch (released on December 23, 2020)
2018.2 SUPERNOVA Patch (released on December 23, 2020)
Customers who have upgraded to 2020.2.1 HF 2 version or 2019.4 HF 6 version have already fixed the SunBurst and SuperNova vulnerabilities and do not need to take further measures.