Home>Blog>The Hacker News Headlines>A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware
The Hacker News Headlines

A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware

An authentication bypass vulnerability in the SolarWinds Orion
software may have been leveraged by adversaries as zero-day to
deploy the SUPERNOVA malware in target environments.

According to an advisory[1]
published yesterday by the CERT Coordination Center, the SolarWinds
Orion API that’s used to interface with all other Orion system
monitoring and management products suffers from a security flaw
(CVE-2020-10148) that could allow a remote attacker to execute
unauthenticated API commands, thus resulting in a compromise of the
SolarWinds instance.

“The authentication of the API can be bypassed by including
specific parameters in the Request.PathInfo[2]
portion of a URI request to the API, which could allow an attacker
to execute unauthenticated API commands,” the advisory states.

“In particular, if an attacker appends a PathInfo parameter of
‘WebResource.adx,’ ‘ScriptResource.adx,’ ‘i18n.ashx,’ or ‘Skipi18n’
to a request to a SolarWinds Orion server, SolarWinds may set the
SkipAuthorization[3]
flag, which may allow the API request to be processed without
requiring authentication.”

SolarWinds, in an update to its security advisory[4]
on December 24, had stated malicious software could be deployed
through the exploitation of a vulnerability in the Orion Platform.
But exact details of the flaw remained unclear until now.

In the past week, Microsoft disclosed[5]
that a second threat actor might have been abusing SolarWinds’
Orion software to drop an additional piece of malware called
SUPERNOVA on target systems.

It was also corroborated by cybersecurity firms Palo Alto
Networks’ Unit 42[6]
threat intelligence team and GuidePoint Security[7], both of whom described
it as a .NET web shell implemented by modifying an
“app_web_logoimagehandler.ashx.b6031896.dll” module of the
SolarWinds Orion application.

While the legitimate purpose of the DLL is to return the logo
image configured by a user to other components of the Orion web
application via an HTTP API, the malicious additions allow it to
receive remote commands from an attacker-controlled server and
execute them in-memory in the context of the server user.

“SUPERNOVA is novel and potent due to its in-memory execution,
sophistication in its parameters and execution and flexibility by
implementing a full programmatic API to the .NET runtime,” Unit 42
researchers noted.

The SUPERNOVA web shell is said to be dropped by an unidentified
third-party different from the SUNBURST actors (tracked as
“UNC2452”) due to the aforementioned DLL not being digitally
signed, unlike the SUNBURST DLL.

The development comes as government agencies and cybersecurity
experts are working to understand the full consequences of the hack
and piece together the global intrusion campaign[8] that has potentially
ensnared 18,000 of SolarWinds’ customers.

FireEye, which was the first company to uncover the SUNBURST
implant, said[9]
in an analysis that the actors behind the espionage operation
routinely removed their tools, including the backdoors, once
legitimate remote access was achieved — implying a high degree of
technical sophistication and attention to operational security.

Evidence unearthed by ReversingLabs[10] and Microsoft[11] had revealed that key
building blocks for the SolarWinds hack were put in place as early
as October 2019 when the attackers laced a routine software update
with innocuous modifications to blend in with the original code and
later made malicious changes that allowed them to launch further
attacks against its customers and to steal data.

To address the authentication bypass vulnerability, it’s
recommended that users update to the relevant versions of the
SolarWinds Orion Platform:

  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)

For customers who have already upgraded to the 2020.2.1 HF 2 or
2019.4 HF 6 versions, it’s worth noting that both the SUNBURST and
SUPERNOVA vulnerabilities have been addressed, and no further
action is required.

References

  1. ^
    advisory
    (www.kb.cert.org)
  2. ^
    Request.PathInfo
    (docs.microsoft.com)
  3. ^
    SkipAuthorization
    (docs.microsoft.com)
  4. ^
    security
    advisory     (www.solarwinds.com)
  5. ^
    disclosed
    (thehackernews.com)
  6. ^
    Unit
    42     (unit42.paloaltonetworks.com)
  7. ^
    GuidePoint Security
    (www.guidepointsecurity.com)
  8. ^
    global
    intrusion campaign     (thehackernews.com)
  9. ^
    said
    (www.fireeye.com)
  10. ^
    ReversingLabs
    (thehackernews.com)
  11. ^
    Microsoft
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.