Infosec pros warned of second SolarWinds Orion vulnerability

IT administrators that use SolarWinds’ Orion network management platform have more than one vulnerability to search for in the wake of news the suite has been compromised.

Dubbed Supernova by Palo Alto Networks, it’s described as a “sophisticated, in-memory webshell baked into Orion’s code, which acted as an interactive .NET runtime API.” The webshell payload is compiled on the fly and executed dynamically, the report says, which makes it less easy to detect by endpoint detection applications.

Supernova is separate from the Solorigate/Sunburst compromised security update found by FireEye researchers, which opens a backdoor for further exploitation believed to have been created by a nation-state. That malware came with a signed digital certificate to help it get past security blocks. Supernova doesn’t have a digital signature, which has led Microsoft to conclude it was likely created by a different threat actor.

Separately, a U.S. Senator who received a closed-door briefing on Orion-related hacks said that dozens of email accounts of senior Treasury department officials were compromised. It wasn’t clear which exploit was used.

American officials have said the State Department, Commerce Department, Treasury, Homeland Security Department, and the National Institutes of Health have been compromised through an Orion exploit.

SolarWinds says some 18,000 customers using Orion may have downloaded the infected software updates between March and August. In a statement, Cisco said it has identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints. Cisco said it doesn’t use SolarWinds for its enterprise network management or monitoring, meanwhile, VMware said that it has identified “limited instances” of the vulnerable Orion software in its internal environment. There has been no indication of exploitation, it added.

In its analysis of Supernova, Palo Alto researchers noted that .NET webshells are fairly common, and usually perform some relatively surface-level exploitation — for example, commanding the implant to dump directory structures or operating system information or to perform a network call to load more exploitation tools.

“Supernova differs dramatically in that it takes a valid .NET program as a parameter,” say researchers. “The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request.

“In other words, the attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network. The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on Windows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign SolarWinds operation and is executed dynamically. This is significant because it allows the attacker to deploy full-featured – and presumably sophisticated – .NET programs in reconnaissance, lateral movement and other attack phases.”

Palo Alto notes that the only way to catch advanced intrusions is a defense-in-depth strategy.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now