• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware


Recommended Posts

solarwinds-malware.jpg

An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as a zero-day to deploy the SUPERNOVA malware in target environments.

According to an advisory published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance.

"The authentication of the API can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request to the API, which could allow an attacker to execute unauthenticated API commands," the advisory states.

"In particular, if an attacker appends a PathInfo parameter of 'WebResource.adx,' 'ScriptResource.adx,' 'i18n.ashx,' or 'Skipi18n' to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication."

It's worth noting that SolarWinds' updated security advisory on December 24 made note of an unspecified vulnerability in the Orion Platform that could be exploited to deploy rogue software such as SUPERNOVA. But exact details of the flaw remained unclear until now.

In the past week, Microsoft disclosed that a second threat actor might have been abusing SolarWinds' Orion software to drop an additional piece of malware called SUPERNOVA on target systems.

It was also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described it as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.

While the legitimate purpose of the DLL is to return the logo image configured by a user to other components of the Orion web application via an HTTP API, the malicious additions allow it to receive remote commands from an attacker-controlled server and execute them in-memory in the context of the server user.

"SUPERNOVA is novel and potent due to its in-memory execution, sophistication in its parameters and execution and flexibility by implementing a full programmatic API to the .NET runtime," Unit 42 researchers noted.

The SUPERNOVA web shell is said to be dropped by an unidentified third-party different from the SUNBURST actors (tracked as "UNC2452") due to the aforementioned DLL not being digitally signed, unlike the SUNBURST DLL.

The development comes as government agencies and cybersecurity experts are working to understand the full consequences of the hack and piece together

the global intrusion campaign that has potentially ensnared 18,000 of SolarWinds' customers.

FireEye, which was the first company to uncover the SUNBURST implant, said in an analysis that the actors behind the espionage operation routinely removed their tools, including the backdoors, once legitimate remote access was achieved — implying a high degree of technical sophistication and attention to operational security.

Evidence unearthed by ReversingLabs and Microsoft had revealed that key building blocks for the SolarWinds hack were put in place as early as October 2019 when the attackers laced a routine software update with innocuous modifications to blend in with the original code and later made malicious changes that allowed them to launch further attacks against its customers and to steal data.

To address the authentication bypass vulnerability, it's recommended that users update to the relevant versions of the SolarWinds Orion Platform:

  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)

For customers who have already upgraded to the 2020.2.1 HF 2 or 2019.4 HF 6 versions, it's worth noting that both the SUNBURST and SUPERNOVA vulnerabilities have been addressed, and no further action is required.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now