SUPERNOVA Backdoor: A Second APT Group Abused SolarWinds Flaw to Deploy Web Shell Malware

[post-views]
December 28, 2020 · 3 min read
SUPERNOVA Backdoor: A Second APT Group Abused SolarWinds Flaw to Deploy Web Shell Malware

New details related to epoch-making SolarWinds supply-chain attack came into light. Research from Microsoft indicates that another stand-alone APT actor might have a hand in SolarWinds Orion compromise. Particularly, cyber-criminals utilized a newly discovered zero-day bug to infect targeted instances with SUPERNOVA backdoor.

New ZeroDay Vulnerability in SolarWinds Orion Software (CVE-2020-10148)

The vulnerability was disclosed on December 25, 2020 in a dedicated CERT Coordination Center advisory. The researchers reveal it is a bypass authentication issue (CVE-2020-10148) that was utilized to execute API commands remotely and deploy SUPERNOVA backdoor. The vulnerability enables API authentication bypass by adding special parameters to the Request.PathInfo part of a URL request to the SolarWinds server. This way, the unauthorized hackers may set the SkipAuthorization flag and launch API request processing.

SUPERNOVA Backdoor Technical Overview

Unit 42 analysts provide evidence that SUPERNOVA backdoor is a highly sophisticated and stealth .NET web shell malware able to deploy complex .NET programs aimed at reconnaissance and lateral movement. The malware was inserted to SolarWinds Orion systems via modifying the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll.” In fact, four additional parameters (codes, clazz, method, args) were added to the authentic DLL. These slight additions allowed adversaries to send arbitrary commands from the server and execute them in-memory with the high privileges of a server user. 

SUPERNOVA relies on the DynamicRun method to compile the mentioned four parameters into a .NET assembly on the fly and execute them on the Orion host. Such an approach allowed hackers to evade detection since no malicious artifacts are recorded to disk. 

Notably, analysts believe SUPERNOVA web shell was implanted by a different APT group, which is not related to the SUNBURST hackers. Such an assumption is supported by the fact that trojanized .NET DLL lacks a digital signature, while DLLs related to SUNBURST do have ones.

Attack Detection and Mitigation Actions

The new SolarWinds zero-day bug was addressed on December 23, 2020, so users are urged to promote their software to the safe versions. In case the upgrade is impossible, check the Solarwinds security advisory to learn more about relevant mitigation steps.

Also, you might apply a Sigma rule for proactive SUPERNOVA backdoor detection, which was developed by the SOC Prime team and available at our Threat Detection marketplace since December 14, 2020: 

https://tdm.socprime.com/tdm/info/QSO2ai3DAIUw/3WLCX3YBTwmKwLA9I6bl/

The rule has translations for the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio

EDR: Carbon Black

NTA: Corelight

MITRE ATT&CK: 

Tactics: Initial Access

Techniques: Supply Chain Compromise (T1195)

In case you don’t have a paid access to the Threat Detection Marketplace, you might activate your free trial under a community subscription to unlock the Sigma rule related to SUPERNOVA webshell. More rules associated with SolarWinds Orion software compromise you may find in our blog posts dedicated to FireEye breach and SUNBURST backdoor analysis.

Subscribe to the Threat Detection Marketplace for free to check more curated SOC content for efficient attack detection. Feel ready to create your own Sigma rules and contribute to the cyber threat detection initiatives? Join our Threat Bounty Program

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts