The SolarWinds Attack: Supernova Malware

The recent SolarWinds attack has made waves across the globe after multiple US government sectors, Microsoft, and FireEye were compromised. A long string of evidence has been uncovered every day since the attack, as the breach develops and experts analyze exactly what took place.

Details of Supernova Malware

This is all very concerning, but what’s taken things to another level is the appearance of a .NET web shell called SUPERNOVA. Initial investigation reports showed this web shell was used by threat actors to download and execute malicious PowerShell scripts. Further analysis performed by Microsoft’s security department clarified the web shell used was not connected to the original attack.

If the SUPERNOVA web shell is discovered on your SolarWinds installations, it should be treated separately from Sunburst. In fact, the vulnerability is classified as CVE-2019-8917. The shell has the ability to be implemented on unpatched or exposed online SolarWinds’ Orion platforms.

Just as the Sunburst Malware was hidden within a DLL (Dynamic Link Library), SUPERNOVA was hidden in the DLL,  App_Web_logoimagehandler.ashx.b6031896.dll. The malware showed some similarities to Sunburst, but something was leading researchers to suspect different origins. 

Microsoft’s security personnel believe SUPERNOVA operators had no connection to Sunburst operators because of the lack of an authentic SolarWinds digital certificate. Most threat actors are efficient in making sure every move they make within a network is meticulous. There aren’t usually mistakes like this among sophisticated threat actors; therefore, Microsoft has deemed these two types of malware as distinct.

SpearTip experts have had their eyes all over the SolarWinds breach since the news hit. In fact, our developers created a free tool, Sunscreen SPF 10, to check if the Sunburst Malware has been in your network by monitoring malicious activity and rooting out compromised versions of SolarWinds. We’ve also developed an EDR tool, ShadowSpear®, to monitor your environment and allow full transparency on your risk profile.

The cybersecurity professionals in our Security Operations Center are on call 24/7 and will assist with any issues or concerns regarding the SolarWinds breach. If you have questions, call the Security Operations Center (SOC) at 833.997.7327.