[German]Security researchers and forensic experts have found two other malware variants, Supernova and CosmicGale, in systems infected with the SunBurst Trojan via SolarWinds Orion software. Security researchers suspect that there is a second hacking group at work.
It’s the joke of 2020: SolarWinds Orion software is widely used to monitor IT infrastructures. And now systems on which this product has been installed are proving to be as full of holes as Swiss cheese from a security point of view. After the Sunburst backdoor was discovered more or less by accident (see SUNBURST hack: Microsoft’s analysis and news), the iceberg is lifting and it is slowly becoming more and more visible. VMware now also had to announce to have been compromised by the SolarWinds story (see this article).
Supernova and CosmicGale
Computer forensic experts are now taking a closer look at systems with SolarWinds Orion software installed. In the meantime, it has become known that further malware was found on some of the systems infected with SunBurst.
Catalin Cimpanu points out this new finding in the above tweet and has published this article on the topic on ZDNet. Bleeping Computer also has this post about it. There are analyses from security firms Guidepoint, Symantec, and Palo Alto Networkthat indicate more malware was found on the infected systems. The reports describe attackers also injected a .NET web shell called Supernova. Security researchers therefore assumed the attackers used the Supernova Web shell to download, compile and execute a malicious Powershell script (which some have dubbed CosmicGale).
However, ZDNet’s article points to an analysis by Microsoft’s security teams that shows the SuperNove web shell is not part of the actual SunBurst attack. Companies that find SuperNova on their systems must assume a separate attack on their IT. A post by Microsoft security analyst Nick Carr notes that the Supernova web shell appears to have been placed on SolarWinds Orion installations that were unprotected against the CVE-2019-8917 vulnerability and accessible online. The vulnerability in SolarWinds Orion products, which has been known since 2019, is described as follows:
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.
The vulnerability thus allowed remote code execution (RCE) on target systems running Orion software. In an analysis, Microsoft found that the Supernova DLL, unlike the Sunburst DLL, was not signed with a legitimate digital certificate from SolarWinds. This deviates from the sophisticated approach of the SunBurst attackers so seriously that one should assume other authors.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft’s analysis and news
Cookies helps to fund this blog: Cookie settings