Thursday, March 28, 2024

New SUPERNOVA Backdoor Found in SolarWinds Cyberattack Analysis

An analysis reports the detection of a backdoor possibly developed by the unidentified hacking team involved in the attack; known as Supernova, this is a web shell injected into SolarWinds Orion code that would allow threat actors to execute arbitrary code on systems that use the compromised version of the product.

Technical Overview

A webshell is typically malware logic embedded in a script page and is most often implemented in an interpreted programming language or context (commonly PHP, Java JSP, VBScript and JScript ASP, and C# ASP.NET).

The webshell will receive commands from a remote server and will execute in the context of the web server’s underlying runtime environment.

The SUPERNOVA webshell is also apparently designed for secondary or upgraded persistence, but its novelty goes far beyond the conventional webshell malware.

SUPERNOVA takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in memory. There is no need for additional network callbacks other than the initial C2 request.

The attackers have built a silent and full-grown .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.

 The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically.

Implant Phase

By leveraging the inbuilt trust of system administrators and routine tool patching, the webshell was implanted without raising any conventional alerts.

The implant itself is a trojanized copy of app_web_logoimagehandler.ashx.b6031896.dll, which is a proprietary SolarWinds .NET library that exposes an HTTP API. The endpoint serves to respond to queries for a specific .gif image from other components of the Orion software stack.

The four parameters codes, clazz, method and args are passed via GET query string to the trojanized logo handler component.

These parameters are then executed in a custom method that simply invokes the underlying operating system.

Execution

The attacker might send a request to the embedded webshell over the internet or through an internally compromised system.

The code is crafted to accept the parameters as components of a valid .NET program, which is then compiled in memory. No executable is dropped and thus the webshell’s execution evades most defender endpoint detections.

Tactics, Techniques and Procedures

The malware is secretly embedded onto a server, and then receives C2 signals remotely and executes them in the context of the server user.

Yet, SUPERNOVA is powerful due to its in-memory execution, sophistication in its parameters and execution and flexibility by implementing a full programmatic API to the .NET runtime.

Apart from eluding detections, the SolarStorm actors were skilled enough to purposely hide their traffic and behaviour in plain sight and to avoid leaving trace evidence behind.

Protection

According to the researchers, only by organizing multiple security appliances and applications in a single pane can defenders detect these attacks.

Palo Alto Networks customers are protected by the following:

Network defense orchestration with Cortex XSOAR.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles