In December 2020, researchers reported on the SolarWinds supply chain attack. Secureworks researchers observed that the attacker deployed SUPERNOVA WebShell using SolarWinds Orion’s vulnerabilities . Through further analysis, it was found that the incident was similar to the intrusion activity discovered on the network in early 2020. Similar, this shows that the two invasions are related to a certain degree, and the researchers attributed the invasion to the SPIRAL Group.
Researchers named the operator behind SUPERNOVA WebShell SPIRAL, and through evaluation, they believe that the Group may be from China. It should be noted here that SUPERNOVA WebShell has nothing to do with the SUNBURST Trojan in the SolarWinds Orion supply chain attack, and is a separate attack event.
SUPERNOVA is written in .NET C# and is a Trojan horse version of the legal DLL (app_web_logoimagehandler.ashx.b6031896.dll) used by the SolarWinds Orion platform.
Writing the SUPERNOVA WebShell to disk:
The attacker interacted with SUPERNOVA WebShell to use net, dir and whoami commands for reconnaissance activities. And use the legitimate comsvcs.dll library to dump the LSASS process to obtain credentials.
Similar to previous intrusions
In early 2020, a Secureworks researcher identified an intrusion. Analysis shows that the attacker initially obtained access through the ManageEngine ServiceDesk server in 2018. Attackers use this access right to collect and leak domain credentials on a regular basis.
In August 2020, the attacker returned to the network through the ManageEngine ServiceDesk server, collected credentials from the two servers, and then used them to access files from SharePoint hosted by Office 365. And OneDrive service.
Researchers were initially unable to attribute the August 2020 invasion to known Group. However, in December 2020, the similarities in the SPIRAL Group’s intrusions indicate that the Group is responsible for these two intrusions:
- The attacker uses the same command to dump the LSASS process through comsvcs.dll and uses the same output file path
- Access to the same two servers: a domain controller and a server that can provide access to sensitive business data.
- The same working directory: c:\users\public (all lowercase).
- Both breaches used three compromised administrator accounts.