{
	"id": "d9e01194-8385-4df1-8a39-588563eb522a",
	"created_at": "2026-04-06T01:29:13.74367Z",
	"updated_at": "2026-04-10T13:12:01.034954Z",
	"deleted_at": null,
	"sha1_hash": "21cbda4c6226f296a06e6efcb997d2a036b54514",
	"title": "CISA Identifies SUPERNOVA Malware During Incident Response | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107905,
	"plain_text": "CISA Identifies SUPERNOVA Malware During Incident Response\r\n| CISA\r\nPublished: 2021-04-29 · Archived: 2026-04-06 01:18:32 UTC\r\nFrom at least March 2020 through February 2021, the threat actor connected to the entity via the entity’s Pulse\r\nSecure VPN appliance (External Remote Services [T1133 ]). The threat actor connected via the U.S.-based\r\nresidential IP addresses listed below, which allowed them to masquerade as teleworking employees. (Note: these\r\nIP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers\r\nwere likely exploited by the threat actor.)\r\n207.89.9[.]153\r\n24.140.28[.]90\r\n24.117.18[.]111\r\nThe threat actor authenticated to the VPN appliance through several user accounts (Valid Accounts [T1078 ]),\r\nnone of which had multi-factor authentication (MFA) enabled. (CISA does not know how the threat actor initially\r\nobtained these credentials.) Once authenticated to the VPN appliance, the threat actor initiated a VPN connection\r\nto the environment (External Remote Services [T1133 ]). The media access control (MAC) address of the threat\r\nactor’s machine as recorded in the VPN appliance logs indicates use of a virtual machine. The threat actor then\r\nmoved laterally to the entity’s SolarWinds Orion appliance (Lateral Movement [TA0008 ]) and established\r\nPersistence [TA0003 ] by using a PowerShell script (Command and Scripting Interpreter: PowerShell\r\n[T1059.001 ]) to decode (Deobfuscate/Decode Files or Information [T1140 ]) and install SUPERNOVA\r\n(Ingress Tool Transfer [T1105 ], Server Software Component: Web Shell [T1505.003 ]). The SUPERNOVA\r\nwebshell allows a remote operator to dynamically inject C# source code into a web portal provided via the\r\nSolarWinds software suite. The injected code is compiled and directly executed in memory. For more information\r\non SUPERNOVA, refer to MAR-10319053-1.v1 - SUPERNOVA.\r\nThe threat actor was able to dump credentials from the SolarWinds appliance via two methods (Credential Access\r\n[TA0006 ]).\r\nThe threat actor used Export-PfxCertificate to gather cached credentials used by the SolarWinds\r\nappliance server and network monitoring (Unsecured Credentials: Private Keys [T1552.004 ]). The\r\nprivate key certificate must have been marked as exportable; either the threat actor was able to change or\r\nbypass that property prior, or the affected entity mistakenly marked the certificate exportable.\r\nThe threat actor placed a copy of procdump.exe(Ingress Tool Transfer [T1105 ])—disguised as the\r\nentity’s logging infrastructure, splunklogger.exe(Masquerading: Rename System Utilities [T1036.003\r\n])—on the SolarWinds Orion server. The threat actor used this tool and the system-level access to dump\r\nLocal Security Authority Subsystem Service (LSASS) memory to obtain additional credentials (OS\r\nCredential Dumping: LSASS Memory [T1003.001 ]). Once the credentials were dumped, the threat actor\r\nplaced them in the c:\\inetpub\\SolarWinds\\ja\\license.txt directory (Data Staged: Local Data Staging\r\n[T1074.001 ]), and the threat actor made a GET request to the entity’s internet information services (IIS)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\r\nPage 1 of 4\n\nserver to Exfiltrate [TA0010 ] the file (Exfiltration Over C2 Channel [T1041 ]). The threat actor deleted\r\nthe IIS logs for the date in question (Indicator Removal on Host: Clear Windows Event Logs [T1070.001\r\n]).\r\nCISA believes the logs would have likely revealed the threat actor exploited CVE-2020-10148, an authentication\r\nbypass vulnerability in SolarWinds Orion Application Programming Interface (API) that allows a remote attacker\r\nto execute API commands.[2 ] CISA believes the threat actor leveraged CVE-2020-10148 to bypass the\r\nauthentication to the SolarWinds appliance and then used SolarWinds Orion API ExecuteExternalProgram() to\r\nrun commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM ). CISA had\r\nnot observed the threat actor using privileged accounts prior to the credential dumps, and the account being used\r\nto connect to the SolarWinds appliance (via VPN) did not have sufficient privilege to access it. The PowerShell\r\nprocess that initiated the credential harvesting and installation of SUPERNOVA was a child process of the\r\nsolarwindsbusinesslayer.exe process. Two GET requests were logged in the following day’s log, with the\r\ninternal Dynamic Host Configuration Protocol (DHCP) address given to the threat actor’s machine by the VPN\r\nappliance minutes after the exploitation, suggesting the threat actor was interacting with the SolarWinds web\r\napplication. (Note: although the threat actor likely exploited CVE-2020-10148, it could have also exploited\r\nanother API authentication bypass or remote code execution (RCE) vulnerability.)\r\nSeveral weeks later, the threat actor connected again via the VPN appliance and attempted to use credentials\r\ngained from the SolarWinds appliance. The threat actor connected to one machine via Server Message Block\r\n(SMB) (Transmission Control Protocol [TCP] port 445) and then attempted to login to an additional workstation\r\n(Remote Services: SMB/Windows Admin Shares [T1021.002 ]). No additional activity was observed during this\r\nsession.\r\nOn another occasion, the threat actor connected to the environment via the VPN and used Windows Management\r\nInstrumentation (WMI) (Windows Management Instrumentation [T1047 ]) to remotely launch a tasklist to\r\ndetermine the process ID for the LSASS process (Process Discovery [T1057 ]). Then the threat actor, via WMI\r\n(Windows Management Instrumentation [T1047 ]), launched procdump.exe , which was disguised as\r\nwininit.exe (Masquerading: Match Legitimate Name or Location [T1036.005 ]). After this, the threat actor\r\nplaced and ran winrar , which was also disguised as wininit.exe (Masquerading: Match Legitimate Name or\r\nLocation [T1036.005 ]), to archive credentials (Archive Collected Data: Archive via Utility [T1560.001 ])\r\nbefore Exfiltration [TA0010 ]. CISA observed the disguised wininit.exe commands on two separate machines\r\n—one server and one workstation. The commands executed were:\r\ncmd /c tasklist /vc:\\windows\\temp\\TS_85ET.tmp\r\nprocdump.exe :\r\ncmd.exe c:\\windows\\temp\\wininit.exe -accepteula -ma 992 c:\\windows\\temp\\TS_9D3C.tmp  \r\nwinrar.exe :\r\nc:\\windows\\temp\\wininit.exe a c:\\windows\\temp\\googleupdate.tmp -hpJimJameJump\r\nc:\\windows\\temp\\TS_9D3C.tmp.dmp   CISA also observed the threat actor perform Discovery\r\n[TA0007 ]. Specifically, the threat actor sent single Internet Control Message Protocol (ICMP)\r\npackets to other network infrastructure within the entity to determine if a communications path\r\nexisted (Remote System Discovery [T1018 ]) and looked for files on the domain administrator’s\r\ndesktop as well as a ManageEngine server (File and Directory Discovery [T1083 ]).\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\r\nPage 2 of 4\n\nUpon discovery of the incident, the affected entity performed incident response in accordance with its incident\r\nresponse plan, and CISA’s engagement is ongoing. CISA encourages organizations to apply the recommendations\r\nprovided in the Recommendations section. Organizations observing related activity should to enact their incident\r\nresponse plan.\r\nRecommendations\r\nCISA recommends all organizations implement the following practices to strengthen the security posture of their\r\norganization's systems.\r\nCheck for instances of common executables executing with the hash of another process (e.g.,\r\nsplunklogger.exe with the hash of procdump ).\r\nImplement MFA, especially for privileged accounts.\r\nUse separate administrative accounts on separate administration workstations.\r\nImplement Local Administrator Password Solution (LAPS).\r\nImplement the principle of least privilege on data access.\r\nSecure Remote Desktop Protocol (RDP) and other remote access solutions using MFA and “jump boxes”\r\nfor access.\r\nDeploy and maintain endpoint defense tools on all endpoints.\r\nEnsure all software is up to date.\r\nIf your organization has ever used SolarWinds Orion versions 2019.4 through 2020.2.1 HF1, refer\r\nto CISA’s Emergency Directive ED 21-01, associated supplemental guidance, and CISA’s Activity\r\nAlert AA20-352A for additional guidance prior to applying patches.  Although ED 21-01 and\r\nassociated guidance only apply to Federal Civilian Executive Branch agencies, CISA encourages\r\nnon-federal entities to review them for recommendations on operating the SolarWinds Orion\r\nplatform.\r\nMaintain up-to-date antivirus signatures and engines.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to\r\nthe local administrators' group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nEnable a personal firewall on organization workstations that is configured to deny unsolicited connection\r\nrequests.\r\nDisable unnecessary services on organization workstations and servers.\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise framework for all referenced threat actor techniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) recently responded to an advanced persistent threat\r\n(APT) actor’s long-term compromise of an entity’s enterprise network, which began in at least March 2020. The\r\nthreat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved\r\nlaterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a\r\n.NET webshell), and collected credentials. (Updated April 29, 2021) Note: at this time CISA cannot link this\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\r\nPage 3 of 4\n\nactivity to exploitation of CVE-2021-22893 as addressed in AA21-110A. The entity has run the Ivanti Pulse\r\nSecure Connect Integrity Tool and found activity consistent with mismatched files. CISA is still investigating the\r\nroot cause for the mismatched files.\r\nSUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source\r\ncode into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance,\r\nconduct domain mapping, and steal sensitive information and credentials. (Note: for more information on\r\nSUPERNOVA, refer to Malware Analysis Report MAR-10319053-1.v1 - SUPERNOVA.) According to a\r\nSolarWinds advisory, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather,\r\nan attacker places it directly on a system that hosts SolarWinds Orion, and it is designed to appear as part of the\r\nSolarWinds product.[1 ] CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds\r\nsupply chain compromise described in Alert AA20-352A: Advanced Persistent Threat Compromise of\r\nGovernment Agencies, Critical Infrastructure, and Private Sector Organizations. Organizations that find\r\nSUPERNOVA on their SolarWinds installations should treat this incident as a separate attack.\r\nThis report provides tactics, techniques, and procedures (TTPs) CISA observed during an incident response\r\nengagement. (Note: this threat actor targeted multiple entities in the same period; some information in this\r\nAnalysis Report is informed by other related incident response engagements and CISA’s public and private sector\r\npartners.) This APT actor has used opportunistic tradecraft, and much is still unknown about its TTPs.\r\nFor a downloadable copy of indicators of compromise (IOCs) associated with this malware, see AR21-112A.stix\r\nand Malware Analysis Report MAR-10319053-1.v1.stix.\r\nReferences\r\n[1] SolarWinds Security Advisory: SUNBURST and SUPERNOVA\r\n[2] CERT/CC Vulnerability Note VU#843464: SolarWinds Orion API authentication bypass allows remote\r\ncommand execution\r\nRevisions\r\nApril 22, 2021: Initial Version|April 29, 2021: Added New Note in Summary\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a"
	],
	"report_names": [
		"ar21-112a"
	],
	"threat_actors": [],
	"ts_created_at": 1775438953,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21cbda4c6226f296a06e6efcb997d2a036b54514.pdf",
		"text": "https://archive.orkl.eu/21cbda4c6226f296a06e6efcb997d2a036b54514.txt",
		"img": "https://archive.orkl.eu/21cbda4c6226f296a06e6efcb997d2a036b54514.jpg"
	}
}