SolarWinds reported on December 13th, 2020 that hackers had exploited a zero-day vulnerability and were able to insert malware into a service that provided software updates for its Orion platform to SolarWinds customers. Security researchers have recently discovered a new malware, SuperNova, that aided in compromising the SolarWinds Orion software. SolarWinds software is widely used by many companies in the public and private sector. This data breach resulted in the compromise of the U.S. Departments of Treasury, Commerce, Homeland Security, and State. It also affected entities such as FireEye and Microsoft. SolarWinds stated that they believe 18,000 of their 300,000 customers were infected as a result of this data breach, making it one of the largest and most impactful cybersecurity breaches of 2020. Even into 2021, we are still finding out more details on the full extent of the data breach. The attacker is described as a sophisticated threat actor, likely backed by a nation-state. Some reports speculate that it is a group of Russian hackers known as Cozy Bear/APT29. So far this has not been confirmed and the Kremlin has denied the accusations. You can read more about the full extent of the data breach here.
The New SuperNova Malware and How It’s Used
The trojanized version of the SolarWinds update was named Sunburst. It was a digitally signed component of the Orion software framework that contained a backdoor that communicates over HTTP to third-party servers. Since it was coming from a trusted third-party provider and was digitally signed, it was installed by SolarWinds customers. In addition to having a backdoor, Sunburst also uses obfuscated blocklists to identify security and antivirus tools running as processes, services, and drivers.
The SuperNova malware was originally identified during the analysis of Sunburst and was assumed to be part of Sunburst. However, based on new analysis, the SuperNova malware is distinct from Sunburst and leverages a zero-day vulnerability to install a trojanized .net DLL. Unlike the Sunburst DLL, SuperNova is not digitally signed and this could have been a means for cyber analysts to identify it earlier on. The functionality is similar to Sunburst; the malware that is loaded is a web shell and acts as a backdoor providing persistent access to web servers. What makes this web shell difficult is that it is built to run in memory which makes it difficult to detect and for forensic analysts to find during post-breach activities. Many believe that the SuperNova malware may be the work of a completely different threat actor, which would mean that two threat actors were able to gain access via the same method. You can read a detailed breakdown of the malware here.
Sunburst Connection to the Kazuar Malware Family
- Evidence suggests Sunburst and Kazuar were developed by the same threat group
- The adversary behind Sunburst used Kazuar as an inspiration
- The groups behind Kazuar (Turla) and Sunburst (UNC2452 or Dark Halo) obtained the malware from a single source
- The developers of Kazuar moved to another team, taking their toolset with them, or
- The Sunburst developers deliberately introduced these links as “false flag” to shift blame to another group
- Both malware families used a sleeping algorithm to stay dormant for a random period between connections to the C2 server
- The use of the FNV-1a hash to obfuscate the malicious code
Do you want to learn more about cybersecurity? Please subscribe to our newsletter.