Threat actors used the Pulse Secure VPN (opens in new tab) appliance to install the Supernova webshell in a victim’s SolarWinds (opens in new tab) Orion server, and collect user credentials (opens in new tab) without permission, a new warning has said.
According to a recent advisory put out by the US Cybersecurity and Infrastructure Security Agency (CISA), this appears to be the first observed instance of a threat actor injecting the Supernova webshell directly into a victim’s SolarWinds installation.
The attack is significant as it deviates from the vector used in the earlier SolarWinds attack (opens in new tab). Instead of tainting the supply chain, the attackers in the latest attack installed the webshell by directly logging into the victim’s SolarWinds server.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
>> Click here to start the survey in a new window (opens in new tab)<<
- We’ve built a list of the best business VPN (opens in new tab) solutions on the market
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
“CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise. Organizations that find Supernova on their SolarWinds installations should treat this incident as a separate attack,” writes CISA in its latest advisory (opens in new tab).
New attack vector
The SolarWinds attack that came to light in December 2020 injected malicious updates into the SolarWinds software. The US has pinned the attack on state-sponsored Russian threat actors and there have been several repercussions including sanctions (opens in new tab) on Russian companies and the expelling of Russian diplomats (opens in new tab).
There have been several mitigations to protect SolarWinds servers from compromise. However the new CISA advisory suggests that threat actors have adopted a new tactic.
In its analysis, CISA observes that the threat actor used the Pulse Secure VPN appliance to connect to the victim’s servers between at least March 2020 and February 2021.
Although CISA notes that attackers authenticated with the Pulse Secure VPN appliance using stolen credentials to masquerade as teleworking employees, cybersecurity (opens in new tab) firm Ivanti last week acknowledged (opens in new tab) a flaw in its Pulse Connect Secure VPN devices. The company said the flaw had been exploited by threat actors to move into the systems of “a very limited number of customers".
While CISA has only observed the new attack strategy against a single victim, it stands to reason that there might be several more. Alarmingly from CISA’s breakdown of the attack it appears to be immune to any of the mitigations for the SolarWinds supply-chain attack.
- Protect your devices with these best antivirus software (opens in new tab)
Via VentureBeat (opens in new tab)