The U.S. Cybersecurity and Infrastructure Security Agency stated, “The threat actor connected to the entity’s network via a Pulse Secure virtual private network appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA, and collected credentials.”
CISA reported that they uncovered the threat actor during an incident response engagement at an unnamed organization and found that the attacker had access to the network for nearly a year through VPN credentials. The attacker is said to have used a legitimate account that had multi-factor authentication enabled to connect to the VPN and allowed them to masquerade as a teleworking employees of the affected entity.
SUPERNOVA is a .NET web shell implemented by modifying and “app_web_logoimagehandles.ashx.b6031896.dll” module of the SolarWinds Orion application. These modifications were made by leveraging an authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, a security flaw, and allowed the execution of unauthenticated API commands.