Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of hackers using a new SolarWinds loophole to install SuperNova malware. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

An attacker may have deployed SuperNova malware in the target environment by using an authentication bypass vulnerability in SolarWinds Orion software as a 0-day vulnerability.

According to a security bulletin issued by CERT/CC in the United States on December 26, there is a security vulnerability (CVE-2020-10148) in SolarWinds Orion API used to connect to all other Orion system monitoring and management products, which can be exploited by remote attackers to execute unauthenticated API commands, thereby invading SolarWinds instances.

The announcement points out that the authentication of the URI can be bypassed by including specific parameters in the Request.PathInfo section of the URI sent to the API.

In particular, if an attacker appends the PathInfo parameter of 'WebResource.adx','ScriptResource.adx','i18n.ashx' or' Skipi18n' to a request sent to the SolarWinds Orion server, SolarWinds sets the SkipAuthorization identity, which may cause the API request to be processed without authentication.

SolarWinds updated its previous security bulletin on December 24, indicating that an attacker could deploy malware by exploiting a vulnerability in Orion Platform. However, the details of the vulnerability have not been fully disclosed.

Last week, Microsoft revealed a second threat actor who may have abused SolarWinds Orion software to deliver another malware SuperNova on the target system.

This is also confirmed by the Palo Alto Networks Unit 42 threat Intelligence team and GuidePoint Security. Both security companies describe it as a .NET web shell, implemented by modifying the "app_web_logoimagehandler.ashx.b6031896.dll" module of SolarWinds Orion applications.

Although the legitimate use of this DLL is to return user-configured logo images to other components of the Orion web application through a HTTP API, the malware allows it to receive remote commands from an attacker-controlled server and execute commands in memory in the context of the server user.

Researchers on the Unit 42 team point out that SuperNova is novel and powerful because of its in-memory execution, the complexity of its parameters and execution, and the flexibility of implementing a full programmatic API through the .NET runtime.

The SuperNova web shell is said to have been delivered by an unidentified third-party actor, unlike the SunBurst actor (UNC2452), because, unlike SunBurst DLL, the aforementioned DLL is not digitally signed.

Government agencies and cyber security experts are trying to understand the full consequences of the attack and piece together global intrusions that could sweep 18000 SolarWinds customers.

FireEye, the first company to discover SunBrust implants, said in an analysis that once legitimate remote access was achieved, the actors behind the espionage operation often removed their tools, including back doors. This means a high degree of technological maturity and a focus on operational security.

ReversingLabs and Microsoft found evidence that key building blocks of code used to attack SolarWinds were in place as early as October 2019, when the attacker added a regular software update with harmless modifications to merge with the original code, followed by malicious modifications to enable further attacks and data theft against SolarWinds customers.

Current vendor-provided updates to SolarWinds Orion Platform-related versions include:

2019.4 HF 6 (released on December 14, 2020)

2020.2.1 HF 2 (released on December 15, 2020)

2019.2 SUPERNOVA Patch (released on December 23, 2020)

2018.4 SUPERNOVA Patch (released on December 23, 2020)

2018.2 SUPERNOVA Patch (released on December 23, 2020)

Customers upgrading to version 2020.2.1 HF 2 or version 2019.4 HF 6 have fixed SunBurst and SuperNova vulnerabilities without further action.

On "hackers use a new SolarWinds loophole to install SuperNova malware example analysis" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.