The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network. In its analysis, the organization warns that this threat actor behind the compromise "targeted multiple entities in the same period".
NOT part of the SolarWinds attack
The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack. The threat actors are believed to be different from the ones behind the infamous supply chain attack.
Pulse Secure VPN
CISA found that the attacker(s) had access to the enterprise's network for nearly a year, between March 2020 and February 2021. According to its investigation, the threat actor connected to the entity's network via a Pulse Secure Virtual Private Network (VPN) appliance. CISA reports that it "does not know how the threat actor initially obtained these credentials" but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack.
The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.
From there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed.
Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. A minimal web shell can be as simple as this:
A shell like this will site on a compromised server and simply execute whatever command an attacker sends it via a web URL. The SUPERNOVA web shell is more sophisticated, and written in .NET rather than PHP, but it is essentially no different.
It is initially installed by a PowerShell script and hides in a malicious version of the SolarWinds Orion Web Application module. It enables remote injection of C# source code into a web portal provided by the SolarWinds software suite. The injected code is compiled and directly executed in memory.
The goal of the operation looks to have been to gather even more credentials. CISA reports that the threat actor was able to dump credentials from the SolarWinds appliance via two methods:
- Cached credentials used by the SolarWinds appliance server and network monitoring.
- By dumping Local Security Authority Subsystem Service (LSASS) memory.
The cached credentials are normally protected by encryption unless they are marked as exportable. So, either the threat actor was able to change or bypass that property, or the victim mistakenly marked the private key certificate as exportable.
The attacker put a renamed copy of procdump.exe on the SolarWinds Orion server to dump the LSASS memory. The credentials were then dumped into a text file and exfiltrated by an HTTP request.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). CISA believes that a vulnerability listed as CVE-2020-10148 was used to bypass the authentication to the SolarWinds appliance.
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Bypassing the authentication would have enabled them to run commands with the same privileges the SolarWinds appliance was running, which was SYSTEM in this case.
Based on findings done during the ongoing investigation CISA recommends all organizations implement the following practices to strengthen the security posture of their organization's systems:
- Check for common executables executing with the hash of another process
- Implement MFA, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Implement Local Administrator Password Solution (LAPS).
- Implement the principle of least privilege on data access.
- Secure Remote Desktop Protocol (RDP) and other remote access solutions using MFA and “jump boxes” for access.
- Deploy and maintain endpoint defense tools on all endpoints.
- Ensure all software is up to date.
- Maintain up-to-date antivirus signatures and engines.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators' group unless required.
- Enforce a strong password policy and implement regular password changes.
- Enable a personal firewall on organization workstations that is configured to deny unsolicited connection requests.
- Disable unnecessary services on organization workstations and servers.
It also urges users of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 to to review Emergency Directive ED 21-01 and associated guidance for recommendations on operating the SolarWinds Orion platform. US federal agencies are required to comply with these directives.
Stay safe, everyone!