Infosec professionals warn of other SolarWinds Orion vulnerability

IT administrators who use the SolarWinds Orion network management platform have more than one vulnerability that has been discovered in the wake of the news.

Supernova, dubbed by Palo Alto Networks, is described as a "sophisticated, in-memory vibeshell baked into Orion's code that has served as an interactive .NET runtime API." The report states that the webshell payload is compiled on the fly and executed dynamically, making it less easy to detect by endpoint detection applications.

The SUPERNOVA SOLARET / SUNBURST agreement differs from the security update found by FireEye researchers, which opens a backdoor for further exploitation supposedly created by a nation-state. This malware came with a signed digital certificate to help get past security blocks. Supernova does not have a digital signature, due to which Microsoft may conclude that it was created by a different threat actor.

Separately, the US senator, who received a closed-door briefing on Orion-related hacks, said dozens of email accounts of senior officials of the Treasury Department had been compromised. It was not clear which exploit was used.

US officials have said that the State Department, Department of Commerce, Treasury, Homeland Security Department and National Institutes of Health have reached a settlement through an Orion feat.

SolarWinds states that some 18,000 customers using Orion may have downloaded infected software updates between March and August. In a statement, Cisco said that it has identified and mitigated affected software in a small number of laboratory environments and a limited number of employee endpoints. Cisco said it does not use SolarWinds for its enterprise network management or monitoring, meanwhile, VMware said it has identified "limited examples" of vulnerable Orion software in its internal environment. He said that there is no sign of exploitation.

In their analysis of Supernova, Palo Alto researchers noted that .NET websellis are quite common, and usually exploit some relatively surface-level exploits — for example, to superimpose dump directory structures or operating system information Or giving commands to the implant to make a network call to load. More Exploitation Tools.

"Supernova is dramatically different in that it takes a valid .NET program as a parameter," the researchers say. “.NET classes, methods, arguments and code data are compiled and executed in memory. Unlike the low-level Websley stance, no additional forensic artifacts are written to disk, and there is no need for additional network callbacks other than the initial C2 request.

"In other words, attackers build a stealthy and fully-built .NET API embedded in the Orion binary, whose user is typically highly privileged and located within the organization's network with a high degree of visibility. Malicious C Attackers with # code can then arbitrarily configure SolarWinds (and any local operating system feature exposed by the .NET SDK on Windows). The code is compiled on the fly during gentle solar winds operation and is dynamically Is executed from. This is important because it allows the attacker to deploy fully - and possibly sophisticated - .NET programs in reconnaissance, lateral movement, and other attack phases. "

Palo Alto notes that a defense-in-depth strategy is the only way to capture advanced infiltration.