T-Room

The Best in Alternative News

at

SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers…

Chinese_Hackers
ParlerGabTruth Social

by Ravie Lakshmanan at The Hacker News

A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds’ Orion network monitoring software may have been the work of a possible Chinese threat group.

In a report published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral.

Back on December 22, 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider’s Orion software to drop a persistent backdoor called Supernova on target systems.

The findings were also corroborated by cybersecurity firms Palo Alto Networks’ Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a .NET web shell implemented by modifying an “app_web_logoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application.

The alterations were made possible not by breaching the SolarWinds app update infrastructure butinstead by leveraging an authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, in turn allowing a remote attacker to execute unauthenticated API commands.

“Unlike Solorigate [aka Sunburst], this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise,” Microsoft had noted.

While the Sunburst campaign has since been formally linked to Russia, the origins of Supernova remained a mystery until now.

According to Secureworks Counter Threat Unit (CTU) researchers — who discovered the malware in November 2020 while responding to a hack in one of its customers’ networks — “the immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network.”

During the course of further investigation, the firm said it found similarities between the incident and that of a prior intrusion activity on the same network uncovered in August 2020, which had been accomplished by exploiting a vulnerability in a product known as ManageEngine ServiceDesk as early as 2018.

“CTU researchers were initially unable to attribute the August activity to any known threat groups,” the researchers said. “However, the following similarities to the Spiral intrusion in late 2020 suggest that the Spiral threat group was responsible for both intrusions.”

The connection to China stems from the fact that attacks targeting ManageEngine servers…

ParlerGabTruth Social
Continue Reading
This website lives off the kindness of your donations. If you would like to support The T-Room please visit our PayPal.

Any publication posted at The T-Room and/or opinions expressed therein do not necessarily reflect the views of The T-Room. Such publications and all information within the publications (e.g. titles, dates, statistics, conclusions, sources, opinions, etc) are solely the responsibility of the author of the article, not The T-Room.