In late 2020, Secureworks CTU researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. CTU analysis indicates that this activity is unrelated to the SUNBURST supply chain attack that trojanized the SolarWinds Orion business software updates. CTU researchers have attributed the SUPERNOVA activity to the SPIRAL espionage group. The threat actor exploited a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148) to execute a reconnaissance script and then write the SUPERNOVA web shell to disk.

Similarities between the SUPERNOVA activity and a previous compromise of the network suggest that SPIRAL was responsible for both intrusions as: 

• The threat actors used identical commands to dump the LSASS process via comsvcs.dll and used the same output file path.
• The same two servers were accessed: a domain controller and a server that could provide access to sensitive business data.
• The same ‘c:\users\public’ path (all lowercase) was used as a working directory.
• Three compromised administrator accounts were used in both intrusions.

Michael Isbitski, Technical Evangelist at Palo Alto, Calif.-based Salt Security, explains, “The exploit of an Internet-facing SolarWinds server to deploy the SUPERNOVA web shell is not surprising in the wake of the SolarWinds attack. We’ll likely continue to see campaigns and parallel attack similar to this one that victimize unpatched APIs to bypass authentication. This kind of attack falls into the OWASP API Security Top 10 risks, where unpatched or misconfigured API authentication allow attackers to compromise authentication tokens or to exploit implementation flaws to gain access to and compromise a system."

Isbitski says, "These findings should act as a stark reminder about the critical importance of patching. No longer can organizations delay patching critical, known vulnerabilities because of concerns over outages, the impact on production users, or the loss of oversight of a system. Unpatched systems are leaving important elements of the IT stack vulnerable, especially APIs, which attackers are increasingly targeting these days since they route traffic directly to valuable data and services. This kind of activity looks to be an emerging signature of the group behind this attack, so organizations need to be increasingly vigilant about such vulnerabilities.”

Oliver Tavakoli, CTO at San Jose, Calif.-based Vectra, says, “There is a longstanding practice of attackers looking for services exposed to the internet which ought not be accessible. Shodan is one manifestation of the trend of looking for such services and attempting to classify them by what information they leak on an attempt to connect. Efforts to exploit internet-facing SolarWinds servers are unlikely to be related to the SolarWinds supply chain attack given that the whole purpose of that hack was to not require the SolarWinds server to be internet-facing.”

For detailed findings, please visit https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group