Another attack occurred but there is still little information about it. Security researchers don’t think this second group was connected to alleged Russian state hackers who violated SolarWinds to embed malware into their official Orion program.
US security firm FireEye’s report comes after Reuters, the Washington Post, and Wall Street Journal.
According to them, the malware utilized in the initial attack, identified as Sunburst (or Solorigate), has been provided as a boobytrapped Orion upgrade to SolarWinds customers.
The malware clink on compromised networks and download a second backdoor called Teardrop, which enables an attacker to initiate a hand-on-keyboard session, also recognized as a humane attack.
Microsoft has documented the vulnerability of SolarWinds by sending security notices to its customers in particular on Sunday and offered counter-measures for customers who may have suffered.
Cybersecurity experts assumed that attackers would download, compile, and perform a malicious Powershell script on Supernova’s web shell (which some have named CosmicGale).
However, it has now been explained that the Supernova Web Shell wasn’t part of the initial attack, in the subsequent review by Microsoft security teams.
It is supposed that Supernova installations of corporations must be viewed as a distinct attack on SolarWinds installations.
Supernova web shell seems to be being planted on SolarWinds Orion installations left unlocked online and left unpatched and vulnerable to CVE-2019-8917 vulnerability, according to an article on Microsoft Security Expert Nick Carr on GitHub.
This is excellent analysis of a webshell!
However, SUPERNOVA & COSMICGALE are unrelated to this intrusion campaign.
You should definitely investigate them separately bc they are interesting – but don’t let it distract from the SUNBURST intrusions.
— Nick Carr (@ItsReallyNick) December 17, 2020
The uncertainty that Supernova was associated with the Sunburst+Teardrop attack chain arises from the fact that just like Sunburst, Supernova was disguised as a DLL for the Orion app — with Sunburst being stashed inside the SolarWinds.Orion.Core.BusinessLayer.dll file and Supernova inside App Web logoimagehandler.ashx.b6031896.dll but in an analysis posted on Friday.
Supernova was not registered, which was perceived to be exceptionally individuality for the attackers, who displayed a high degree of complexity and concern for their activities before then.
Most of this appeared to be too much a flagrant error the initial attackers did not make, and Microsoft thus claims the malware was unrelated to the original supply chain attack by SolarWinds.