SUPERNOVA Backdoor: SolarWinds Victim of Not 1 but 2 Cyberattacks

SolarWinds Headquarters

Recent analyzes into SolarWinds’ major data breach, attributed to Russian APT group Cozy Bear, reveal a second cyberattack. Another yet unnamed hacking group also targeted SolarWinds installing the SUPERNOVA backdoor into their Orion network management platform.

The Latest on SolarWinds’ Original Breach

Earlier this month, it was revealed that SolarWinds had suffered a major breach, which has been attributed to the Russian APT group Cozy Bear. The breach has come to be known as the Solorigate incident. Since then, the group have been compromising SolarWinds’ clients via software supply chain attacks using SolarWinds’ Orion network management software.

Among the companies believed affected are numerous Fortune 500 companies, of which SolarWinds counts 499 of them as its clients. The targeted private organizations have primarily been technology companies. Public organizations that have fallen victim to Solorigate reportedly include the US Treasury Department, the Department of Homeland Security, the State Department and the Justice Department. Furthermore, entities from all five branches of the US military may also be potential victims.

Since the SolarWinds breach was first discovered, analyzes of the incident have been ongoing. It is therefore now known that cybercriminals modified a legitimate SolarWinds Orion DLL file to attack SolarWinds’ clients. The attackers modified the SolarWinds.Orion.Core.BusinessLayer.dll to include the malicious SUNBURST backdoor trojan. This file was then distributed to SolarWinds clients via an automatic update feature.

Solorigate Analysis Reveals New Flaw

While analyzing the Solorigate compromise, investigators discovered that SolarWinds had been the victim of not 1 but 2 cyberattacks. Palo Alto Networks’ global threat intelligence team, Unit 42, and Microsoft’s 365 Defender Research Team recently reported this additional cyberattack. Furthermore, they both believe the second cyberattack is the work of a separate cybercriminal group from that involved in Solorigate.

The 365 Defender Research Team write in their report: “In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this [Solorigate] compromise and used by a different threat actor.”

According to a Vulnerability Note published by the CERT Coordination Center, the SolarWinds Orion API suffers from a security flaw. This vulnerability permits remote attackers to bypass authentication and execute API commands. This allowed cybercriminals to install a second backdoor into Orion Platform products, which has been dubbed SUPERNOVA.

SUPERNOVA SolarWinds Advisory

SolarWinds yesterday released an updated advisory, which includes details of the new SUPERNOVA malware. SUPERNOVA is a persistence backdoor, which was distributed using the app_web_logoimagehandler.ashx.b6031896.dll file. This DLL file was written by cybercriminals specifically for the Orion Platform. It was then deployed by exploiting the Orion API security flaw.

The cybercriminals modified the Orion Platform’s original app_web_logoimagehandler.ashx.b6031896.dll file. The file’s legitimate purpose was to return a user configured logo image to other components of the Orion web application. The modifications made by the cybercriminals now allow the DLL to receive remote commands from servers controlled by the cybercriminals. The commands are executed in-memory on SolarWinds’ clients’ devices.

Unit 42 researchers noted that “SUPERNOVA is novel and potent due to its in-memory execution, sophistication in its parameters and execution and flexibility by implementing a full programmatic API to the .NET runtime.”

Protection Against SUPERNOVA

SolarWinds states in its latest advisory “We constantly work to enhance the security of our products and to protect our customers and ourselves because hackers and other cybercriminals are always seeking new ways to find and attack their victims. We work closely with our customers to address and remediate any potential concerns, and we encourage all customers to run only supported versions of our products and to upgrade to the latest versions to the get the full benefit of our updates, improvements, and enhancements.”

For protection against SUPERNOVA, SolarWinds advises all its Orion Platform clients to apply these latest patches:

  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)

SolarWinds clients who upgraded to the following Orion versions after the Solorigate compromise, are protected from both the SUNBURST and SUPERNOVA backdoors:

  • 2020.2.1 HF 2 (released December 15, 2020); or
  • 2019.4 HF 6 (released December 14, 2020).

Consequently, these clients don’t need to take any further action to protect themselves against SUPERNOVA.

As well as the SolarWinds Security Advisory Page, the company encourages its clients to refer to the FAQs at www.solarwinds.com/securityadvisory/faq.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.