solarwinds hack

SUPERNOVA Linked to SPIRAL Group

Introduction

In December 2020, researchers reported on the SolarWinds supply chain attack. Secureworks researchers observed that the deployed SUPERNOVA WebShell using SolarWinds Orion’s vulnerabilities . Through further analysis, it was found that the incident was similar to the intrusion activity discovered on the network in early 2020. Similar, this shows that the two invasions are related to a certain degree, and the researchers attributed the invasion to the SPIRAL Group.

Researchers named the operator behind SUPERNOVA WebShell SPIRAL, and through evaluation, they believe that the Group may be from China. It should be noted here that SUPERNOVA WebShell has nothing to do with the SUNBURST Trojan in the SolarWinds Orion supply chain attack, and is a separate attack event.

Deploy SUPERNOVA

The uses the SolarWinds Orion API authentication bypass vulnerability ( CVE-2020-10148 ) to execute a script, and then writes SUPERNOVA WebShell to disk through PowerShell commands.

supernova

SUPERNOVA is written in .NET C# and is a Trojan horse version of the legal DLL (app_web_logoimagehandler.ashx.b6031896.dll) used by the SolarWinds Orion platform.

Writing the SUPERNOVA WebShell to disk:

supernova

The interacted with SUPERNOVA WebShell to use net, dir and whoami commands for reconnaissance activities. And use the legitimate comsvc​​​s.dll library to dump the LSASS process to obtain credentials.

supernova

Similar to previous intrusions

In early 2020, a Secureworks researcher identified an intrusion. Analysis shows that the initially obtained access through the ManageEngine ServiceDesk server in 2018. Attackers use this access right to collect and leak domain credentials on a regular basis.

In August 2020, the returned to the network through the ManageEngine ServiceDesk server, collected credentials from the two servers, and then used them to access files from SharePoint hosted by Office 365. And OneDrive service.

Researchers were initially unable to attribute the August 2020 invasion to known Group. However, in December 2020, the similarities in the SPIRAL Group’s intrusions indicate that the Group is responsible for these two intrusions:

  • The attacker uses the same command to dump the LSASS process through comsvcs.dll and uses the same output file path
clip_image004
  • Access to the same two servers: a domain controller and a server that can provide access to sensitive business data.
  • The same working directory: c:\users\public (all lowercase).
  • Both breaches used three compromised administrator accounts.

IOCs

SPIRAL C2
24.59.231.58
24.59.231.62
24.59.231.60
24.59.231.61
24.59.231.59
23.236.125.20
76.237.140.245
117.21.187.144


SUPERNOVA 
56ceb6d0011d87b6e4d7023d7ef85676
88c03a1ffc753b4d4f198f9784802b33
75af292f34789a1c782ea36c7127bf6106f595e8
3c967660dedc209798f56c79bd8f09dcc70aa123
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
1c96021ac8cb52173e762f6b008fb4c6e5ef113e6baa4e2cf4848e88c61d9700