Threat actors used the Pulse Secure VPN appliance to install Webshell Supernova on the victim's SolarWinds Orion server and harvest user credentials without authorization, according to a new warning. According to a recent advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA), this appears to be the first observed case of a threat actor injecting the Supernova webshell directly into a victim's SolarWinds installation. The attack is important because it deviates from the vector used in the previous SolarWinds attack. Instead of sullying the supply chain, the attackers in the latest attack installed Webshell by connecting directly to the victim's SolarWinds server.
LaComparacion needs you! We're taking a look at how our readers are using VPNs for an upcoming in-depth report. We'd love to hear from you in the survey below. It won't take more than 60 seconds of your time.
Click here to start the survey in a new window
“CISA believes that this is an independent actor from the APT actor responsible for SolarWinds' supply chain engagement. Organizations that encounter Supernova at their SolarWinds facility should treat this incident as a separate attack, ”CISA writes in its latest advisory.
New attack vector
The SolarWinds attack discovered in December 2020 injected malicious updates into the SolarWinds software. The US targeted the attack on state-sponsored Russian threat actors and there were several repercussions, including sanctions on Russian companies and the expulsion of Russian diplomats. There have been various mitigation measures to protect SolarWinds servers from any compromise. However, the new CISA advisory suggests that threat actors have adopted a new tactic. In its analysis, CISA notes that the threat actor used the Pulse Secure VPN device to connect to the victim's servers between at least March 2020 and February 2021. Although CISA notes that the attackers authenticated with the Pulse Secure device VPN using stolen credentials to impersonate telecommuters, cybersecurity company Ivanti last week acknowledged a flaw in its Pulse Connect Secure VPN devices. The company said the flaw was exploited by threat actors to break into the systems of "a very limited number of customers." While CISA only observed the new attack strategy against a single victim, it stands to reason that there could be several more. Alarmingly, after the failure of the CISA attack, it appears to be immune to any mitigation of the SolarWinds supply chain attack. Via VentureBeat