More clues appear to link Supernova web shell activity to Chinese hackers

Spiral threat group used compromised servers to deploy the Supernova web shell

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers from the Counter Threat Unit (CTU) at Secureworks have discovered a possible link to China while examining howSolarWindsservers were used to deploymalware.

During the end of last year, a compromised internet-facing SolarWinds server was used as a springboard by hackers to deploy the .NET web shellSupernova. Based on similar intrusions which occurred on the same network, it appears that the Chinese-based Spiral threat group is responsible for both cases.

According to Secureworks’new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked asCVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.

Supernova, which is written in .NET, is an advanced web shell that can maintain persistence on a compromised machine as well as compile “method, arguments and code data” in-memory according to apostfrom Palo Alto Network’sUnit 42.

Supernova

During an incident observed by Secureworks that occurred last August, Supernova was used by Spiral to perform reconnaissance, domain mapping and to steal both credentials and information from aManageEngine ServiceDeskserver. This incident shares similarities to the one that occurred in November and was analyzed by the firm’s Counter Threat Unit.

While these two cases are believed to be the work of the Spiral threat group, there is no link to the SolarWinds hack that occurred in December of last year.

To prevent falling victim to future attacks by Spiral, Secureworks recommends that organizations use available controls to restrict access to several IP addresses (which can be found here) that point to the threat group’sC&C servers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’