The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm for a new cyberattack in which both a Pulse Secure VPN appliance and the SolarWinds Orion platform were abused for malicious purposes.
Both the Pulse Secure virtual private network (VPN) appliances and the SolarWinds platform are known targets for threat actors: the former for initial access to an environment, and the latter for performing supply chain attacks.
The newly described attack, CISA warns, should not be attributed to the Russian Foreign Intelligence Service (SVR), which the United States and other countries hold accountable for the compromise of government and private organizations through the SolarWinds Orion platform.
Initially identified in December 2020, the malware is deployed post compromise and allows the threat actor to perform reconnaissance and move laterally onto the environment, as well as to perform other activities.
From at least March 2020 through February 2021, CISA says, the APT leveraged several user accounts (none with multi-factor authentication (MFA) enabled) to connect to the victim environment via Pulse Secure VPN.
The attackers then moved laterally to the SolarWinds Orion appliance and deployed the Supernova webshell to “dynamically inject C# source code into a web portal provided via the SolarWinds software suite.”
CISA also notes that the attackers leveraged their access to dump credentials and that they likely exploited the CVE-2020-10148 authentication bypass vulnerability to execute API commands on the SolarWinds appliance.
“CISA had not observed the threat actor using privileged accounts prior to the credential dumps, and the account being used to connect to the SolarWinds appliance (via VPN) did not have sufficient privilege to access it,” the Agency says.
The APT connected to the environment on several occasions, attempted to use dumped SolarWinds credentials, as well as to further harvest and exfiltrate credentials.