IT administrators that use SolarWinds’ Orion network management platform have more than one vulnerability to search for in the wake of news the suite has been compromised.
Dubbed Supernova by Palo Alto Networks, it’s described as a “sophisticated, in-memory webshell baked into Orion’s code, which acted as an interactive .NET runtime API.” The webshell payload is compiled on the fly and executed dynamically, the report says, which makes it less easy to detect by endpoint detection applications.
Supernova is separate from the Solorigate/Sunburst compromised security update found by FireEye researchers, which opens a backdoor for further exploitation believed to have been created by a nation-state. That malware came with a signed digital certificate to help it get past security blocks. Supernova doesn’t have a digital signature, which has led Microsoft to conclude it was likely created by a different threat actor.
Separately, a U.S. Senator who received a closed-door briefing on Orion-related hacks said that dozens of email accounts of senior Treasury department officials were compromised. It wasn’t clear which exploit was used.
American officials have said the State Department, Commerce Department, Treasury, Homeland Security Department, and the National Institutes of Health have been compromised through an Orion exploit.
SolarWinds says some 18,000 customers using Orion may have downloaded the infected software updates between March and August. In a statement, Cisco said it has identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints. Cisco said it doesn’t use SolarWinds for its enterprise network management or monitoring, meanwhile, VMware said that it has identified “limited instances” of the vulnerable Orion software in its internal environment. There has been no indication of exploitation, it added.
In its analysis of Supernova, Palo Alto researchers noted that .NET webshells are fairly common, and usually perform some relatively surface-level exploitation — for example, commanding the implant to dump directory structures or operating system information or to perform a network call to load more exploitation tools.
“Supernova differs dramatically in that it takes a valid .NET program as a parameter,” say researchers. “The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request.
“In other words, the attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network. The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically. This is significant because it allows the attacker to deploy full-featured – and presumably sophisticated – .NET programs in reconnaissance, lateral movement and other attack phases.”
Palo Alto notes that the only way to catch advanced intrusions is a defense-in-depth strategy.