Another Hacking Group Has Targeted SolarWinds Systems

Another attack occurred but there is still little information about it. Security researchers don’t think this second group was connected to alleged Russian state hackers who violated SolarWinds to embed malware into their official Orion program.

US security firm FireEye’s report comes after Reuters, the Washington Post, and Wall Street Journal.

According to them, the malware utilized in the initial attack, identified as Sunburst (or Solorigate), has been provided as a boobytrapped Orion upgrade to SolarWinds customers.

The malware clink on compromised networks and download a second backdoor called Teardrop, which enables an attacker to initiate a hand-on-keyboard session, also recognized as a humane attack.

Image: Microsoft
Image Credit: Microsoft

Microsoft has documented the vulnerability of SolarWinds by sending security notices to its customers in particular on Sunday and offered counter-measures for customers who may have suffered.

Cybersecurity experts assumed that attackers would download, compile, and perform a malicious Powershell script on Supernova’s web shell (which some have named CosmicGale).

Don’t Miss: US Nuclear Weapons Agency Hacked By Suspected Russian Hackers

However, it has now been explained that the Supernova Web Shell wasn’t part of the initial attack, in the subsequent review by Microsoft security teams.

It is supposed that Supernova installations of corporations must be viewed as a distinct attack on SolarWinds installations.

Supernova web shell seems to be being planted on SolarWinds Orion installations left unlocked online and left unpatched and vulnerable to CVE-2019-8917 vulnerability, according to an article on Microsoft Security Expert Nick Carr on GitHub.

The uncertainty that Supernova was associated with the Sunburst+Teardrop attack chain arises from the fact that just like Sunburst, Supernova was disguised as a DLL for the Orion app — with Sunburst being stashed inside the SolarWinds.Orion.Core.BusinessLayer.dll file and Supernova inside App Web logoimagehandler.ashx.b6031896.dll but in an analysis posted on Friday.

Supernova was not registered, which was perceived to be exceptionally individuality for the attackers, who displayed a high degree of complexity and concern for their activities before then.

Most of this appeared to be too much a flagrant error the initial attackers did not make, and Microsoft thus claims the malware was unrelated to the original supply chain attack by SolarWinds.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button