CISA Warns of New Malware Threat to Vulnerable SolarWinds Orion Tech

The Department of Homeland Security Cybersecurity and Infrastructure and Security Agency released an alert warning of a new malware variant known as SUPERNOVA, which is being used to target vulnerable SolarWinds Orion technology.

The new malware variant was not used in the initial supply chain cyberattack, which the agency first alerted to in December. The initial hack was caused by attackers exploiting a previous SolarWinds Orion software update with malware, allowing a number of high-profiled compromises.

The initial attack impacted FireEye and a number of federal agencies. At the time, SolarWinds confirmed the “incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker.”

CISA and researchers have repeatedly warned that the event will continue to have a massive, rippling impact across all sectors. For now, it’s unclear the full extent of the compromise.

The latest alert provides details on the latest efforts hackers are employing to continue exploiting the vulnerable SolarWinds tech. First observed by FireEye, SUPERNOVA malware is embedded by the attackers directly onto a system hosting SolarWinds Orion.

“SUPERNOVA is not malicious code embedded within the builds of our Orion Platform as a supply chain attack,” SolarWinds officials said in a statement. “It’s malware separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”

“The SUPERNOVA malware consisted of two components,” they added. “The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.”

The vulnerability was previously resolved in the latest software release.

The malware is designed to appear as a legitimate part of the SolarWinds product. CISA confirmed that it does not appear to be part of the initial supply chain attack. Rather, SUPERNOVA is embedded into a trojanized version of the Orion Web Application module.

The attackers can leverage the malware to remotely and dynamically inject C# source code into a web portal through the SolarWinds software suite.

“The injected code is compiled and directly executed in memory,” according to CISA. Thus, the malicious PowerShell is able to be executed by the legitimate PowerShell application.

Essentially, the malware is patched into the plug-in and modifies the application to perform its malicious functions.

“The modification includes the ‘DynamicRun’ export function, which is designed to accept and parse provided arguments,” CISA officials wrote. “The arguments are expected to partially contain C# code, which the function will compile and execute directly in system memory.”

“The purpose of this malware indicates the attacker has identified a vulnerability allowing the ability to dynamically provide a custom ‘HttpContext’ data structure to the web application’s ‘ProcessRequest’ function,” they added. “The ProcessRequest function takes an HttpContext Data structure as an argument.” 

Portions of the request substructure of the parent HttpContext data structure are then parsed using keys “codes”, “clazz”, “method”, and “args”, and placed in respective variable codes, then provided as arguments to the DynamicRun function.

The alert contains all needed indicators of compromise and further descriptions of the attack method. CISA is urging all organizations to again ensure they’ve employed best practice security measures to prevent falling victim to an attack.

Administrators should review policies and procedures to make sure all antivirus, signatures, and operating system patches are routinely kept up to date. File sharing and printing services should be disabled. If those services are required, strong passwords or Active Directory authentication should be employed.

Access management and controls are also crucial preventative measures, which include restricting user permissions, enforcing strong password policies and routine password changes, strengthening email security training and policies, and monitoring users’ web browsing habits.

Administrators should also employ appropriate Access Control Lists (ACLs).

CISA previously provided resources and a threat analysis for the SolarWinds supply chain attack, which gives much needed insights around indicators of compromise and needed security measures.