dark reading threat intel and cybersecurity news

A look at the second elusive attack targeting SolarWinds software that researchers at Secureworks recently cited as the handiwork of Chinese nation-state hackers.

It’s mostly been overshadowed by the massive and brazen supply chain breach of the SolarWinds Orion software-build process — the lesser-known Supernova cyberattack also remains a bit of a mystery. Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds’ Orion network management software, so far have been scarce.

Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed “Spiral.”

Supernova first came to light during FireEye’s investigation into the Orion software-update attack (aka Sunburst, Solorigate) back in December, and at first it was mistakenly believed to be part of the supply chain attack campaign. Microsoft soon thereafter revealed that Supernova indeed was not part of the supply chain attack.

It’s likely coincidental that two separate nation-states were targeting the same software, albeit in very different ways, experts say. “I think it’s a coincidence” that both the Chinese and Russian advanced persistent threats (APTs) both targeted SolarWinds software in their attacks, notes Mike McLellan, director of intelligence at Secureworks. And the high-profile discovery of the attack from Russia may have “burned” China’s parallel operation for now, too, he says.

That could explain the dearth of additional activity reported by researchers on Supernova: The attackers may have halted the Orion attack and sought other ways to quietly target and spy on their victims.

It’s not unusual for multiple nation-state attacker groups to target the same victim organization, nor even to reside concurrently and unbeknownst to one another while conducting their intelligence-gathering operations. But Supernova and the Orion supply chain attack demonstrate how nation-states also can have similar ideas yet different methods regarding how they target and ultimately burrow into the networks of their victims.

Supernova homed in on SolarWinds’ Orion by exploiting a flaw in the software running on a victim’s server; Sunburst did so by inserting malicious code into builds for versions of the Orion network management platform. The digitally signed builds then were automatically sent to some 18,000 federal agencies and businesses last year via a routine software update process, but the attackers ultimately targeted far fewer victims than those who received the malicious software update, with fewer than 10 federal agencies affected as well as some 40 of Microsoft’s own customers. US intelligence agencies have attributed that attack to a Russian nation-state group, and many details of the attack remain unknown.

Supernova took a more traditional, yet stealthy, approach to leveraging Orion’s lucrative mapping and tracking features of a victim’s network. “Supernova was looking for SolarWinds on the [victim’s] network and compromising them from there,” explains Secureworks’ McLellan.

“The Russian activity comes from the SolarWinds network,” he says of the supply chain attack using Sunburst. “That’s the key difference.”

Ben Read, FireEye Mandiant Threat Intelligence’s director of analysis, agrees that the two attacks were separate and unrelated — with different victims. “We have no indication one operation knew about the other,” he says. The widespread adoption of the Orion software may well have made it a “compelling target” for multiple state intelligence agencies to use in their attacks, he says.

Microsoft recently renamed the supply chain attack and the attackers behind it as Nobelium.

The Targets
Reuters first reported about a China nexus for the Supernova attack in early February, identifying the US Department of Agriculture (USDA)’s National Finance Center (NFC) as a target of the Supernova attackers. But the USDA disputed reporting that that NFC had been breached.

When contacted by Dark Reading about the Supernova attack, USDA reiterated that it had “no evidence” that NFC suffered a data breach, but it was still investigating.

“In compliance with [the Cybersecurity and Infrastructure Security Agency]’s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise. While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center,” the agency said in a statement in response to inquiries by Dark Reading.

The agency did not provide any further details, so it remains unclear exactly if or how the agency’s Orion implementation was affected.

The Supernova victim that Secureworks investigated was a private-sector organization in the US, according to the security firm. “We’re limited in what we can say about the victim,” Secureworks’ McLellan says. “Information theft was the target: information related to their clients, customers.”

SolarWinds, meanwhile, says it knows of one victim of the Supernova attack, according to a company spokesperson. “That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer’s network,” the spokesperson says, noting that the flaw since has been patched. “Supernova was neither signed nor delivered by SolarWinds, and the issue was addressed in Orion platform updates that were released in December.”

SolarWinds did not disclose any additional details about the victim.

How It Works
Supernova contains two malware components: a Web shell, an unsigned Windows .dll file crafted to appear as legitimate code on Orion (app_web_logoimagehandler.ashx.b6031896.dll); and an exploit that abused the previously unknown API authentication bypass flaw (CVE-2020-10148) that was used to run the Web shell.

The now-patched vuln let an attacker run commands without authenticating to the API; the Supernova attackers used it to install the Web shell into the victims’ Orion software running on their internal severs.

Secureworks found a link between Supernova and a previous attack on one of its clients, which it detailed in a blog post earlier this month.

The Spiral team exploited the API authentication flaw on Orion to drop the Supernova Web shell onto the victim’s internal SolarWinds server such that it could then remotely run its own commands on the server. It then moved laterally to two hosts: a domain controller for harvesting credentials, according to Secureworks, and then a server that provided access to sensitive information about the business. The attackers appeared to know the network layout, given the speed and targeting of the servers; Secureworks incident responders thwarted further infiltration of the network.

“There was malicious activity on the SolarWinds server on this client’s network,” which Secureworks then found had exploited an API bypass vulnerability, says Marc Burnard, a senior information security researcher with Secureworks.

“They used that vuln to drop the Supernova Web shell onto the SolarWinds server and began interacting with it to run commands on the server.”

They then moved laterally to a domain controller to steal credentials and another server that could have given them access to client data, he says.

The victim organization had suffered an attack in early 2020 with some similar characteristics, according to Secureworks: The attackers exploited one of the organization’s public-facing ManageEngine ServiceDesk servers, silently grabbing domain credentials over a period of nearly two years, and then in August 2020, stealing credentials from two of the victims’ servers to steal files from their Office 365 SharePoint and OneDrive cloud applications.

Secureworks matched the two attacks to the same threat actor because of the similar techniques involved: The attackers used the same commands and output file paths in the Microsoft Windows Local Security Authority Subsystem Service (LSASS), the same directory name, and a domain controller and a server to reach valuable business information. And three compromised admin accounts were used in both attacks.

Wes Riley, incident response operations and technical lead at ‎GuidePoint Security, recently analyzed the Supernova Web shell. Riley says that although the Supernova code was not especially sophisticated, it was “elegant.” The Web shell is memory-resident, and the attackers used an existing API to set up their access to gathering intel.

The Supernova Web shell poses as a SolarWinds Web service, displaying the Orion logo image. “The purpose of the file is just to grab an image … to pull the logo for SolarWinds [Orion] and present it,” he explains. “Other Web pages on that Web UI will call that file and grab the image.” Placing the malicious code there was elegant and stealthy, he says.

Riley doesn’t consider the SolarWinds API vulnerability that the attackers exploited a true zero-day bug. “It’s a gray area,” he says. The attackers basically abused a function of the software and its application programming interface. “They found a location in the software where a forward-facing page will call a function,” he says.

China
Secureworks researchers say aside from similar characteristics of Supernova with other nation-state actors out of China, they were able to tie the two attacks on their customer to China via a small but significant misstep the attackers made: exposing an IP address. “A Secureworks endpoint detection and response (EDR) agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China,” according to Secureworks’ findings.

GuidePoint’s Riley says Supernova’s use of a Web shell rings of a Chinese nation-state operation. He says it reminds him of the way the so-called Shellcrew (aka Deep Panda) APT group operates, but he didn’t have firsthand knowledge of the attackers nor was he focused on attribution in his analysis.

“The only similarities I saw with other attack groups I’ve seen or dealt with is more from the approach,” Riley notes. Shellcrew, for instance, “is really adept at” planting malicious code along the callpath of large Web applications, he says.

Charity Wright, a cyber-threat intelligence analyst at RecordedFuture who specializes in China, says she and her team were suspicious when China basically “sat out” of election-meddling operations against during the 2020 US presidential campaign; the researchers figured Chinese nation-state hacking teams “were preparing something big.” It turns out they were, she says, pointing to the recently revealed widespread Microsoft Exchange Server zero-day attacks as well as Supernova, although Wright says RecordedFuture could not directly confirm Supernova came from China.

Secureworks so far is the only team to publicly name China in the attacks. “While we can’t independently verify the activity witnessed by Secureworks in their engagements, this would not be the first time an attacker missteps and inadvertently tips their hand,” says J.A. Guerrero-Saade, principal threat researcher at SentinelOne, of the discovery by Secureworks. “Regardless, attribution based entirely on cyber indicators is notoriously fungible and should be handled with caution.”

A Spiral Comeback?
Nation-states are known to leave monitoring tools in place for re-entry, Secureworks’ McLellan says, or to regroup and return with a different exploit if they get discovered. “We imagine this group may reappear. They’ve been around since 2018; we expect them to come back with some other way of gaining access.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio