More clues appear to link Supernova web shell activity to Chinese hackers
Spiral threat group used compromised servers to deploy the Supernova web shell
Researchers from the Counter Threat Unit (CTU) at Secureworks have discovered a possible link to China while examining how SolarWinds servers were used to deploy malware.
During the end of last year, a compromised internet-facing SolarWinds server was used as a springboard by hackers to deploy the .NET web shell Supernova. Based on similar intrusions which occurred on the same network, it appears that the Chinese-based Spiral threat group is responsible for both cases.
According to Secureworks' new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.
- We've built a list of the best endpoint protection software available
- These are the best firewalls on the market
- Also check out our roundup of the best identity theft protection
Supernova, which is written in .NET, is an advanced web shell that can maintain persistence on a compromised machine as well as compile “method, arguments and code data” in-memory according to a post from Palo Alto Network's Unit 42.
Supernova
During an incident observed by Secureworks that occurred last August, Supernova was used by Spiral to perform reconnaissance, domain mapping and to steal both credentials and information from a ManageEngine ServiceDesk server. This incident shares similarities to the one that occurred in November and was analyzed by the firm's Counter Threat Unit.
While these two cases are believed to be the work of the Spiral threat group, there is no link to the SolarWinds hack that occurred in December of last year.
To prevent falling victim to future attacks by Spiral, Secureworks recommends that organizations use available controls to restrict access to several IP addresses (which can be found here) that point to the threat group's C&C servers.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
- We've also highlighted the best antivirus
Via ZDNet
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.