{"id":17904,"date":"2020-12-22T00:10:00","date_gmt":"2020-12-21T23:10:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=17904"},"modified":"2021-05-06T22:57:13","modified_gmt":"2021-05-06T20:57:13","slug":"solarwinds-systeme-mit-2-backdoor-gefunden","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/12\/22\/solarwinds-systeme-mit-2-backdoor-gefunden\/","title":{"rendered":"2nd backdoor found on infected SolarWinds systems"},"content":{"rendered":"

[German<\/a>]Security researchers and forensic experts have found two other malware variants, Supernova and CosmicGale, in systems infected with the SunBurst Trojan via SolarWinds Orion software. Security researchers suspect that there is a second hacking group at work. <\/p>\n

<\/p>\n

\"\"It's the joke of 2020: SolarWinds Orion software is widely used to monitor IT infrastructures. And now systems on which this product has been installed are proving to be as full of holes as Swiss cheese from a security point of view. After the Sunburst backdoor was discovered more or less by accident (see SUNBURST hack: Microsoft's analysis and news<\/a>), the iceberg is lifting and it is slowly becoming more and more visible. VMware now also had to announce<\/a> to have been compromised by the SolarWinds story (see this article<\/a>). <\/p>\n

Supernova and CosmicGale<\/h2>\n

Computer forensic experts are now taking a closer look at systems with SolarWinds Orion software installed. In the meantime, it has become known that further malware was found on some of the systems infected with SunBurst.<\/p>\n

\"SolarWinds<\/a><\/p>\n

Catalin Cimpanu points out this new finding in the above tweet and has published this article<\/a> on the topic on ZDNet. Bleeping Computer also has this post about it. There are analyses from security firms Guidepoint<\/a>, Symantec<\/a>, and Palo Alto Network<\/a>that indicate more malware was found on the infected systems. The reports describe attackers also injected a .NET web shell called Supernova. Security researchers therefore assumed the attackers used the Supernova Web shell to download, compile and execute a malicious Powershell script (which some have dubbed CosmicGale). <\/p>\n

However, ZDNet's article points to an analysis by Microsoft's security teams that shows the SuperNove web shell is not part of the actual SunBurst attack. Companies that find SuperNova on their systems must assume a separate attack on their IT. A post by Microsoft<\/a> security analyst Nick Carr notes that the Supernova web shell appears to have been placed on SolarWinds Orion installations that were unprotected against the CVE-2019-8917<\/a> vulnerability and accessible online. The vulnerability in SolarWinds Orion products, which has been known since 2019, is described as follows: <\/p>\n

\n

SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.<\/p>\n<\/blockquote>\n

The vulnerability thus allowed remote code execution (RCE) on target systems running Orion software. In an analysis, Microsoft found that the Supernova DLL, unlike the Sunburst DLL, was not signed with a legitimate digital certificate from SolarWinds. This deviates from the sophisticated approach of the SunBurst attackers so seriously that one should assume other authors. <\/p>\n

Similar articles:<\/strong>
FireEye hacked, Red Team tools stolen<\/a>
US Treasury and US NTIA hacked<\/a>
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?<\/a>
Sloppiness at SolarWinds responsible for compromised software?<\/a>
News in the fight against SUNBURST infection, domain seized<\/a>
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail<\/a>
SUNBURST malware was injected into SolarWind's source code base<\/a>
SUNBURST: US nuclear weapons agency also hacked, new findings<\/a>
SolarWinds hack: Microsoft and others also affected?<\/a>
SUNBURST hack: Microsoft's analysis and news<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Security researchers and forensic experts have found two other malware variants, Supernova and CosmicGale, in systems infected with the SunBurst Trojan via SolarWinds Orion software. Security researchers suspect that there is a second hacking group at work.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-17904","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/17904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=17904"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/17904\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=17904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=17904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=17904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}