As the probe into the SolarWinds supply chain attack continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider’s Orion software to drop a similar persistent backdoor on target systems.
“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” Microsoft 365 research team said on Friday in a post detailing the Sunburst malware.
What makes the newly revealed malware, dubbed “Supernova,” different is that unlike the Sunburst DLL, Supernova (“app_web_logoimagehandler.ashx.b6031896.dll”) is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack.
In a standalone write-up, researchers from Palo Alto Networks said the Supernova malware is compiled and executed in-memory, permitting the attacker to bypass endpoint detection and response (EDR) systems and “deploy full-featured – and presumably sophisticated – .NET programs in reconnaissance, lateral movement and other attack phases.”
How the Sunburst Backdoor Operates
The discovery is yet another indication that in addition to being a lucrative infection vector for threat actors, the supply chain attack of SolarWinds — which cast a wide net of 18,000 companies and government agencies — had been executed with a far broader scope and extraordinary sophistication.
The adversaries used what’s called a supply chain attack, exploiting SolarWinds Orion network management software updates the company distributed between March and June of this year to plant malicious code in a DLL file (aka Sunburst or Solorigate) on the targets’ servers that’s capable of stealthily gathering critical information, running remote commands, and exfiltrating the results to an attacker-controlled server.
Analysis of the Solorigate modus operandi has also revealed that the campaign chose to steal data only from a select few of thousands of victims, opting to escalate their attacks based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.
The escalation involves the predefined command-and-control (C2) server — a now-sinkholed domain called “avsvmcloud[.]com” — responding to the infected system with a second C2 server that allows the Sunburst backdoor to run specific commands for privilege escalation exploration, credential theft, and lateral movement.
The fact that the compromised DLL file is digitally signed implies a compromise of the company’s software development or distribution pipeline, with evidence suggesting that the attackers have been conducting a dry run of the campaign as early as October 2019.
The October files did not have a backdoor embedded in them in the way that subsequent software updates SolarWinds Orion customers downloaded in the spring of 2020 did — rather, it was mainly used to test if the modifications showed up in the newly released updates as expected.
The US Cybersecurity and Infrastructure Security Agency (CISA), in an alert last week, said it found evidence of initial infection vectors using flaws other than the SolarWinds software.
Cisco, VMware, and Deloitte Confirm Malicious Orion Installations
Cybersecurity firms Kaspersky and Symantec have said they each identified 100 customers who downloaded the trojanized package containing the Sunburst backdoor, with the latter finding traces of a second-stage payload called Teardrop in a small number of organizations.
The specific number of infected victims remains unknown at this time but has steadily increased since cybersecurity firm FireEye revealed it had been breached via SolarWinds’s software early this month. A number of US government agencies and private companies, including Microsoft, Cisco, Equifax, General Electric, Intel, NVIDIA, Deloitte, and VMware, have reported finding the malware on its servers.
“Following the SolarWinds attack announcement, Cisco Security immediately began our established incident response processes,” Cisco said in a statement to The Hacker News via email.
“We have isolated and removed Orion installations from a small number of lab environments and employee endpoints. At this time, there is no known impact to Cisco products, services, or to any customer data. We continue to investigate all aspects of this evolving situation with the highest priority.”
FireEye was the first to expose the wide-ranging espionage campaign on December 8 after discovering that the threat actor had stolen its arsenal of Red Team penetration testing tools, making it so far the only instance where the attackers escalated access thus far. No foreign governments have announced compromises of their own systems.
Although media reports have cited it to be the work of APT29, Russia has denied involvement in the hacking campaign. Neither have cybersecurity companies and researchers from FireEye, Microsoft, and Volexity attributed these attacks to the threat actor.