By: Ravie Lakshmanan
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds’ Orion network monitoring software may have been the work of a possible Chinese threat group.
In a report published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral.
Back on December 22, 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider’s Orion software to drop a persistent backdoor called Supernova on target systems.
The findings were also corroborated by cybersecurity firms Palo Alto Networks’ Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a .NET web shell implemented by modifying an “app_web_logoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application.
The alterations were made possible not by breaching the SolarWinds app update infrastructure but instead by leveraging an authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, in turn allowing a remote attacker to execute unauthenticated API commands.
“Unlike Solorigate [aka Sunburst], this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise,” Microsoft had noted.
While the Sunburst campaign has since been formally linked to Russia, the origins of Supernova remained a mystery until now.
According to Secureworks Counter Threat Unit (CTU) researchers — who discovered the malware in November 2020 while responding to a hack in one of its customers’ networks — “the immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network.”
During the course of further investigation, the firm said it found similarities between the incident and that of a prior intrusion activity on the same network uncovered in August 2020, which had been accomplished by exploiting a vulnerability in a product known as ManageEngine ServiceDesk as early as 2018.
“CTU researchers were initially unable to attribute the August activity to any known threat groups,” the researchers said. “However, the following similarities to the Spiral intrusion in late 2020 suggest that the Spiral threat group was responsible for both intrusions.”
The connection to China stems from the fact that attacks targeting ManageEngine servers have long been associated with threat groups located in the country, not to mention the modus operandi of exploiting long-term persistence to collect credentials, exfiltrate sensitive data, and plunder intellectual property.
But more solid evidence arrived in the form of an IP address that geolocated to China, which the researchers said came from a host that was used by the attackers to run Secureworks’s endpoint detection and response (EDR) software for reasons best known to the threat actor, suggesting the software may have been stolen from the compromised customer.
“The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure,” the researchers detailed. “The exposure of the IP address was likely unintentional, so its geolocation supports the hypothesis that the Spiral threat group operates out of China.”
It’s worth pointing out that SolarWinds addressed Supernova in an update to Orion Platform released on December 23, 2020.