Researchers Describe a Second, Separate SolarWinds AttackThis Attack, With Apparent Ties to China, Distinct From Russian Cyberespionage Effort
Russian hackers apparently weren't the only ones targeting SolarWinds customers. An attack last year by the Spiral hacking group, believed to be based in China, against one organization used "Supernova" malware that targeted a vulnerability in SolarWinds' Orion network monitoring software, according to the Secureworks Counter Threat Unit.
In January, SolarWinds issued an advisory on that vulnerability, CVE-2020-10148, but it said no exploits had been discovered. SolarWinds issued a patch on Dec. 23, 2020. But Spiral exploited the vulnerability earlier, says Mike McLellan, director of intelligence at Secureworks.
The attack using the Supernova malware that Secureworks investigated is not related to the much broader SolarWinds supply chain attack, Secureworks says. That separate supply chain attack is tied to a Russian cyberespionage campaign that leveraged a backdoor installed in an update of the Orion network monitoring platform, investigators say. Some 18,000 Orion users downloaded the version with the backdoor. Nine government agencies and about 100 private-sector organizations were then targeted for follow-on attacks, the investigators report.
A spokesperson for SolarWinds also confirms to Information Security Media Group that the apparent Chinese attack using Supernova malware is not related to the Russian supply chain attack. In the Supernova attack described by Secureworks, hackers went directly into the victim's network instead of using Orion as the entry point, the spokesperson says.
What is Supernova?
Secureworks describes Supernova as a Trojanized version of the legitimate dynamic link library used by the SolarWinds Orion network monitoring platform. The hackers were spotted using Supernova to conduct further reconnaissance on a SolarWinds client's network, which eventually led to the exfiltration of some credentials, the researchers say.
SolarWinds confirmed to ISMG that the Supernova attack researched by Secureworks is associated with earlier warnings of a second group of hackers exploiting a SolarWinds Orion flaw, which has since been patched.
Uncovering the Attack
Secureworks' researchers discovered the Spiral attack on one organization in November 2020 when they spotted hackers exploiting a SolarWinds Orion API vulnerability on an internet-facing SolarWinds server during an incident response effort.
"The threat actor exploited a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148) to execute a reconnaissance script and then write the Supernova web shell to disk," the researchers say.
"There is no known connection between Spiral activity and the recently reported compromises of on-premises Microsoft Exchange servers," says McLellan. "Spiral's activities are also separate from the SolarWinds supply chain compromise first reported in December 2020, and the two just happened to be discovered at around the same time because both involved SolarWinds software."
The Spiral Attack
Once the Spiral attackers exploited CVE-2020-10148, they installed the web shell and used it to conduct additional reconnaissance, Secureworks reports. The attackers were able to remove the credentials by dumping the Local Security Authority Subsystem Service, or LSASS, using the legitimate comsvcs.dll library, the report states. The dumped material was then sent to the license.txt file, which was retrieved and then erased, the researchers say.
LSASS is a process in Microsoft Windows operating systems for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes and creates access tokens.
In the Supernova attack against a SolarWinds customer that Secureworks investigated, Spiral moved laterally through the targeted system, mapping the network shares from a domain controller and a server that contained sensitive information, the researchers say.
In August 2020, Secureworks noted activity on the same network at the SolarWinds client organization, which indicated the system might have been initially compromised in 2018. At that time, the attacker used a vulnerable public-facing ManageEngine ServiceDesk server to gain entry and then visited the network several times to remove data, the researchers say.
"In August 2020, the threat actor returned to the network via the ManageEngine ServiceDesk server, harvested credentials from two servers, likely exfiltrated these credentials through the ManageEngine server, and then used them to access files from Office 365-hosted SharePoint and OneDrive services," according to the report.
The analysts cite similarities between the August and November 2020 incidents to tie Spiral to both:
- The hackers used identical commands to dump the LSASS process via comsvcs.dll and used the same output file path.
- The same two servers were accessed: a domain controller and a server that could provide access to sensitive business data.
- The same 'c:userspublic' path (all lowercase) was used as a working directory.
- The hackers used the same three compromised administrator accounts in both intrusions.
The China Connection
Spiral's connection to China is somewhat tenuous, but Secureworks notes that Chinese threat groups often target ManageEngine servers and then use this long-term access periodically to harvest credentials and data. The researchers also found an additional piece of evidence reinforcing the link to China.
"A Secureworks endpoint detection and response agent checked in from a host that did not belong to the compromised organization and used an IP address geolocated to China," the report states.