Researchers from the Counter Threat Unit (CTU) at Secureworks have discovered a possible link to China while examining how SolarWinds servers were used to deploy malware.
During the end of last year, a compromised internet-facing SolarWinds server was used as a springboard by hackers to deploy the .NET web shell Supernova. Based on similar intrusions which occurred on the same network, it appears that the Chinese-based Spiral threat group is responsible for both cases.
According to Secureworks’ new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.
Supernova, which is written in .NET, is an advanced web shell that can maintain persistence on a compromised machine as well as compile “method, arguments and code data” in-memory according to a post from Palo Alto Network’s Unit 42.
During an incident observed by Secureworks that occurred last August, Supernova was used by Spiral to perform reconnaissance, domain mapping and to steal both credentials and information from a ManageEngine ServiceDesk server. This incident shares similarities to the one that occurred in November and was analyzed by the firm’s Counter Threat Unit.
While these two cases are believed to be the work of the Spiral threat group, there is no link to the SolarWinds hack that occurred in December of last year.
To prevent falling victim to future attacks by Spiral, Secureworks recommends that organizations use available controls to restrict access to several IP addresses (which can be found here) that point to the threat group’s C&C servers.