# CISA Identifies SUPERNOVA Malware During Incident Response **us-cert.cisa.gov/ncas/analysis-reports/ar21-112a** ## Summary _This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge_ _(ATT&CK®) framework. See the_ _[ATT&CK for Enterprise framework for all referenced threat](https://attack.mitre.org/versions/v7/matrices/enterprise/)_ _actor techniques._ The Cybersecurity and Infrastructure Security Agency (CISA) recently responded to an advanced persistent threat (APT) actor’s long-term compromise of an entity’s enterprise network, which began in at least March 2020. The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials. (Updated April 29, 2021) **Note:** at this time CISA cannot link this activity to exploitation of CVE-2021-22893 as addressed in [AA21-110A. The entity has run the Ivanti Pulse Secure Connect Integrity Tool and found](https://us-cert.cisa.gov/ncas/alerts/aa21-110a) activity consistent with mismatched files. CISA is still investigating the root cause for the mismatched files. SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials. (Note: for more information on SUPERNOVA, refer to Malware [Analysis Report MAR-10319053-1.v1 - SUPERNOVA.) According to a SolarWinds advisory,](https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a) SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, an attacker places it directly on a system that hosts SolarWinds Orion, and it is designed to [appear as part of the SolarWinds product.[1] CISA assesses this is a separate actor than the](https://www.solarwinds.com/sa-overview/securityadvisory#anchor2) APT actor responsible for the SolarWinds supply chain compromise described in Alert AA20[352A: Advanced Persistent Threat Compromise of Government Agencies, Critical](https://us-cert.cisa.gov/ncas/alerts/aa20-352a) Infrastructure, and Private Sector Organizations. Organizations that find SUPERNOVA on their SolarWinds installations should treat this incident as a separate attack. This report provides tactics, techniques, and procedures (TTPs) CISA observed during an incident response engagement. (Note: this threat actor targeted multiple entities in the same period; some information in this Analysis Report is informed by other related incident response engagements and CISA’s public and private sector partners.) This APT actor has used opportunistic tradecraft, and much is still unknown about its TTPs. For a downloadable copy of indicators of compromise (IOCs) associated with this malware, [see AR21-112A stix and Malware Analysis Report MAR-10319053-1 v1 stix](https://us-cert.cisa.gov/sites/default/files/publications/AR21_112A.stix.xml) ----- ## Description From at least March 2020 through February 2021, the threat actor connected to the entity via [the entity’s Pulse Secure VPN appliance (External Remote Services [T1133]). The threat](https://attack.mitre.org/versions/v8/techniques/T1133/) actor connected via the U.S.-based residential IP addresses listed below, which allowed them to masquerade as teleworking employees. (Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor.) ``` 207.89.9[.]153 24.140.28[.]90 24.117.18[.]111 ``` The threat actor authenticated to the VPN appliance through several user accounts (Valid _Accounts_ [[T1078]), none of which had multi-factor authentication (MFA) enabled. (CISA does](https://attack.mitre.org/versions/v8/techniques/T1078/) not know how the threat actor initially obtained these credentials.) Once authenticated to the VPN appliance, the threat actor initiated a VPN connection to the environment (External _Remote Services_ [[T1133]). The media access control (MAC) address of the threat actor’s](https://attack.mitre.org/versions/v8/techniques/T1133/) machine as recorded in the VPN appliance logs indicates use of a virtual machine. The threat actor then moved laterally to the entity’s SolarWinds Orion appliance (Lateral _Movement_ [[TA0008]) and established Persistence [TA0003] by using a PowerShell script](https://attack.mitre.org/versions/v8/tactics/TA0008/) (Command and Scripting Interpreter: PowerShell [[T1059.001]) to decode](https://attack.mitre.org/techniques/T1059/001/) (Deobfuscate/Decode Files or Information [[T1140]) and install SUPERNOVA (Ingress Tool](https://attack.mitre.org/versions/v8/techniques/T1140/) _Transfer_ [[T1105], Server Software Component: Web Shell](https://attack.mitre.org/versions/v8/techniques/T1105/) [[T1505.003]). The SUPERNOVA](https://attack.mitre.org/techniques/T1505/003/) webshell allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory. For more information on SUPERNOVA, refer to MAR-10319053-1.v1 SUPERNOVA. The threat actor was able to dump credentials from the SolarWinds appliance via two [methods (Credential Access [TA0006]).](https://attack.mitre.org/versions/v8/tactics/TA0006/) The threat actor used `Export-PfxCertificate to gather cached credentials used by` the SolarWinds appliance server and network monitoring (Unsecured Credentials: _Private Keys_ [[T1552.004]). The private key certificate must have been marked as](https://attack.mitre.org/versions/v8/techniques/T1552/004/) exportable; either the threat actor was able to change or bypass that property prior, or the affected entity mistakenly marked the certificate exportable. ----- The threat actor placed a copy of `procdump.exe` [(Ingress Tool Transfer [T1105])—](https://attack.mitre.org/versions/v8/techniques/T1105/) disguised as the entity’s logging infrastructure, `splunklogger.exe` (Masquerading: _Rename System Utilities_ [[T1036.003])—on the SolarWinds Orion server. The threat](https://attack.mitre.org/versions/v8/techniques/T1036/003/) actor used this tool and the system-level access to dump Local Security Authority Subsystem Service (LSASS) memory to obtain additional credentials (OS Credential _Dumping: LSASS Memory_ [[T1003.001]). Once the credentials were dumped, the threat](https://attack.mitre.org/versions/v8/techniques/T1003/001/) actor placed them in the `c:\inetpub\SolarWinds\ja\license.txt directory (Data` _[Staged: Local Data Staging [T1074.001]), and the threat actor made a](https://attack.mitre.org/versions/v8/techniques/T1074/001/)_ `GET request to` the entity’s internet information services (IIS) server to Exfiltrate [[TA0010] the file](https://attack.mitre.org/versions/v8/tactics/TA0010/) (Exfiltration Over C2 Channel [[T1041]). The threat actor deleted the IIS logs for the](https://attack.mitre.org/versions/v8/techniques/T1041/) date in question (Indicator Removal on Host: Clear Windows Event Logs [[T1070.001]).](https://attack.mitre.org/versions/v8/techniques/T1070/001/) CISA believes the logs would have likely revealed the threat actor exploited CVE-202010148, an authentication bypass vulnerability in SolarWinds Orion Application Programming [Interface (API) that allows a remote attacker to execute API commands.[2] CISA believes the](https://kb.cert.org/vuls/id/843464) threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API `ExecuteExternalProgram() to run` commands with the same privileges the SolarWinds appliance was running (in this case ``` SYSTEM ). CISA had not observed the threat actor using privileged accounts prior to the ``` credential dumps, and the acc ount being used to connect to the SolarWinds appliance (via VPN) did not have sufficient privilege to access it. The PowerShell process that initiated the credential harvesting and installation of SUPERNOVA was a child process of the ``` solarwindsbusinesslayer.exe process. Two GET requests were logged in the following ``` day’s log, with the internal Dynamic Host Configuration Protocol (DHCP) address given to the threat actor’s machine by the VPN appliance minutes after the exploitation, suggesting the threat actor was interacting with the SolarWinds web application. (Note: although the threat actor likely exploited CVE-2020-10148, it could have also exploited another API authentication bypass or remote code execution (RCE) vulnerability.) Several weeks later, the threat actor connected again via the VPN appliance and attempted to use credentials gained from the SolarWinds appliance. The threat actor connected to one machine via Server Message Block (SMB) (Transmission Control Protocol [TCP] port 445) and then attempted to login to an additional workstation (Remote Services: SMB/Windows _Admin Shares_ [[T1021.002]). No additional activity was observed during this session.](https://attack.mitre.org/versions/v8/techniques/T1021/002/) On another occasion, the threat actor connected to the environment via the VPN and used Windows Management Instrumentation (WMI) (Windows Management Instrumentation [[T1047]) to remotely launch a tasklist to determine the process ID for the LSASS process](https://attack.mitre.org/versions/v8/techniques/T1047/) (Process Discovery [[T1057]). Then the threat actor, via WMI (Windows Management](https://attack.mitre.org/versions/v8/techniques/T1057/) _Instrumentation_ [[T1047]), launched](https://attack.mitre.org/versions/v8/techniques/T1047/) `procdump.exe, which was disguised as` `wininit.exe` (Masquerading: Match Legitimate Name or Location [[T1036.005]). After this, the threat actor](https://attack.mitre.org/versions/v8/techniques/T1036/005/) placed and ran `winrar, which was also disguised as` `wininit.exe (Masquerading:` _Match Legitimate Name or Location_ [[T1036.005]), to archive credentials (Archive Collected](https://attack.mitre.org/versions/v8/techniques/T1036/005/) ----- _Data: Archive via Utility_ [[T1560.001]) before Exfiltration](https://attack.mitre.org/versions/v8/techniques/T1560/001/) [[TA0010]. CISA observed the](https://attack.mitre.org/versions/v8/tactics/TA0010/) disguised `wininit.exe commands on two separate machines—one server and one` workstation. The commands executed were: ``` cmd.exe c:\windows\temp\wininit.exe -accepteula -ma 992 ``` ``` c:\windows\temp\TS_9D3C.tmp winrar.exe : c:\windows\temp\wininit.exe a c:\windows\temp\googleupdate.tmp hpJimJameJump c:\windows\temp\TS_9D3C.tmp.dmp ``` Upon discovery of the incident, the affected entity performed incident response in accordance with its incident response plan, and CISA’s engagement is ongoing. CISA encourages organizations to apply the recommendations provided in the Recommendations section. Organizations observing related activity should to enact their incident response plan. ## Recommendations CISA recommends all organizations implement the following practices to strengthen the security posture of their organization's systems. Check for instances of common executables executing with the hash of another process (e.g., `splunklogger.exe with the hash of` `procdump ).` Implement MFA, especially for privileged accounts. Use separate administrative accounts on separate administration workstations. Implement Local Administrator Password Solution (LAPS). Implement the principle of least privilege on data access. Secure Remote Desktop Protocol (RDP) and other remote access solutions using MFA and “jump boxes” for access. Deploy and maintain endpoint defense tools on all endpoints. Ensure all software is up to date. If your organization has ever used SolarWinds Orion versions 2019.4 through [2020.2.1 HF1, refer to CISA’s Emergency Directive ED 21-01, associated](https://cyber.dhs.gov/ed/21-01/) supplemental guidance, and CISA’s Activity Alert [AA20-352A for additional](https://us-cert.cisa.gov/ncas/alerts/aa20-352a) guidance prior to applying patches. Although ED 21-01 and associated guidance only apply to Federal Civilian Executive Branch agencies, CISA encourages non[federal entities to review them for recommendations on operating the SolarWinds](https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3) Orion platform. Maintain up-to-date antivirus signatures and engines. Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators' group unless required. Enforce a strong password policy and implement regular password changes. ----- Enable a personal firewall on organization workstations that is configured to deny unsolicited connection requests. Disable unnecessary services on organization workstations and servers. ## References Revisions April 22, 2021: Initial Version April 29, 2021: Added New Note in Summary [This product is provided subject to this Notification and this](https://us-cert.cisa.gov/privacy/notification) [Privacy & Use policy.](https://www.dhs.gov/privacy-policy) **Please share your thoughts.** [We recently updated our anonymous product survey; we'd welcome your feedback.](https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a) -----