Writing the SUPERNOVA WebShell to disk: The attacker interacted with SUPERNOVA WebShell to use net, dir and whoami commands for reconnaissance activities. The .NET class, method, arguments and code data are compiled and executed in-memory. SolarWinds Orion and is designed to appear as part of the SolarWinds product. SolarWinds issued a security advisory recommending users upgrade to the latest version, Orion Platform version 2020.2.1 HF 1, as soon as possible. CISA's assessment is that SUPERNOVA is not part of the SolarWinds supply chain attack described in Alert AA20-352A. Detections and Hunting queries specific to the SolarWinds hack: SolarWinds TEARDROP memory-only dropper IOCs in Window’s defender Exploit Guard activity; SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents The DLL is patched with the SUPERNOVA webshell and is a replacement for a legitimate SolarWinds DLL. If it is an understandable practice to not impact SolarWinds products functions, the following detections will not work if the installation paths exclusions are not removed first. Share. The report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA, a malicious webshell backdoor. This cyberthreat, “Supernova,” is tracked as CVE-2020-10148. Updated 14Jan: "SolarLeaks" (as first seen on Reddit Jan 12) Updated 23Dec: NSA advisory on the abuse of federated Single Sign On (SSO) infrastructure and Security Assertion Markup Language (SAML) tokens . Updated 9Feb: Unconfirmed Chinese exploitation of SolarWinds breach. SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. Updated 21Dec: Possible 2019 dry run and new malware dubbed SUPERNOVA detected; new analysis from … SolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products paths of the anti-virus scans. SolarWinds recommends: Rebuilding internet-accessible Orion infrastructure ; Upgrading non-internet accessible Orion infrastructure ; SolarWinds has developed a program to provide professional consulting resources, at no charge, to customers with active maintenance plans. Our analysis of the SUPERNOVA trojan reveals the differences between the legitimate DLL and the attacker’s implant, along with some new IoCs for detection. We recommend that all customers running SolarWinds Orion versions 2019.4 through 2020.2.1 should upgrade to the Orion platform to version 2020.2.1 HF 1 ASAP. SUPERNOVA is written in .NET C# and is a Trojan horse version of the legal DLL (app_web_logoimagehandler.ashx.b6031896.dll) used by the SolarWinds Orion platform. Here’s the current list of collateral. Read More. It's worth noting that SolarWinds' updated security advisory on December 24 made note of an unspecified vulnerability in the Orion Platform that could be exploited to deploy rogue software such as SUPERNOVA.But exact details of the flaw remained unclear until now. Rapid7 has deployed detections in InsightIDR for activity related to vulnerable versions of SolarWinds Orion and will continue to add additional IOCs/TTPs as they become available. See that here: SolarWinds Post-Compromise Hunting with Azure Sentinel. The SUPERNOVA Displayed below is a portion of the event log with the victim information redacted.
Former Bundesliga Players, Does 7-11 Sell Arizona Tea, Exemplum Characteristics, Germany Football Team Captain List, Bread Pudding Traditional Irish Desserts, Sloane Stephens French Open 2021,