So, either the threat actor was able to change or bypass that property, or the victim mistakenly marked the private key certificate as exportable. The cached credentials are normally protected by encryption unless they are marked as exportable. By dumping Local Security Authority Subsystem Service (LSASS) memory.Cached credentials used by the SolarWinds appliance server and network monitoring.CISA reports that the threat actor was able to dump credentials from the SolarWinds appliance via two methods: The goal of the operation looks to have been to gather even more credentials.
Solarwinds orion products code#
The injected code is compiled and directly executed in memory.
Solarwinds orion products software#
It enables remote injection of C# source code into a web portal provided by the SolarWinds software suite. It is initially installed by a PowerShell script and hides in a malicious version of the SolarWinds Orion Web Application module. NET rather than PHP, but it is essentially no different. The SUPERNOVA web shell is more sophisticated, and written in. A minimal web shell can be as simple as this: Ī shell like this will site on a compromised server and simply execute whatever command an attacker sends it via a web URL. Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.įrom there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. Pulse Secure VPNĬISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. The threat actors are believed to be different from the ones behind the infamous supply chain attack. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack. The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product. In its analysis, the organization warns that this threat actor behind the compromise “targeted multiple entities in the same period”. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network.
![solarwinds orion products solarwinds orion products](https://2jws2s3y97dy39441y2lgm98-wpengine.netdna-ssl.com/wp-content/uploads/2020/12/image-23.png)
Dominion has been criticized recently for their potential role involving mass voter fraud in the 2020 US election.The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server. Disconnecting affected devices, as described below in Required Action 2, is the only known mitigation measure currently available.ĬISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.ĭominion Voting Systems uses SolarWinds products, but has recently removed a reference link to SolarWinds from their official website. This tactic permits an attacker to gain access to network traffic management systems. SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. “As the joint statement reads, the agencies issued an Emergency Directive which instructed federal civilian agencies “to immediately disconnect or power down affected SolarWinds Orion products from their network” due to exploitation from “malicious actors.” Amid the concerns regarding the SolarWinds hacking incident, the ODNI, FBI, and CISA issued a joint statement regarding a “cyber security campaign against America,” as National File reported.