CISA Describes APT Group’s Methods
An advanced persistent threat group gained long-term access to an unnamed entity’s network through its Ivanti Pulse Secure VPN and SolarWinds’ Orion server and then installed Supernova malware, according to the U.S. Cybersecurity and Infrastructure Security Agency.
“The threat actor connected to the entity’s network via a Pulse Secure virtual private network appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as Supernova and collected credentials,” CISA says in a Thursday alert.
The attacker maintained persistence from March 2020 until February 2021, CISA says.
CISA says the attack discussed in the alert is unrelated to the SolarWinds supply chain attack, which affected 18,000 users and led to follow-on attacks on nine government agencies and 100 companies.
“CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise. Organizations that find Supernova on their SolarWinds installations should treat this incident as a separate attack,” CISA says.
U.S. investigators say the Russian Foreign Intelligence Service, aka SVR, was behind the SolarWinds supply chain attack.
In recent weeks, attackers have exploited a zero-day flaw and previously patched flaws in Pulse Connect Secure VPN products. But the attack described by CISA appears to have used a different approach.
The security firm FireEye believes the groups UNC2630 and UNC2717 were responsible for the string of Pulse Connect Secure attacks. UNC2630 is suspected to have ties to the Chinese government.
Bronze Spiral Involved?
CISA declined to attribute the attack. But Don Smith, the senior director of the Cyber Intelligence Cell at the Secureworks Counter Threat Unit, ties the attack to the threat group Bronze Spiral, also known as Tick, which is associated with China.
“The timing and tools, tactics and procedures described by CISA are consistent with the findings we set out in our blog and would also corroborate our assessment that the two intrusions we responded to at the same organization were both perpetrated by the same threat actor, Bronze Spiral,” Smith says.
Smith says the TTPs used in other Bronze Spiral attacks include gaining initial access through the exploitation of vulnerable internet-facing systems, deploying the Supernova web shell, stealing credentials, gaining ongoing access through VPN services using legitimate credentials, deploying other tools renamed to disguise their function and using compromised infrastructure for command and control.
In its Thursday alert about the attack leveraging a Pulse Secure VPN and SolarWinds’ Orion platform, CISA says the APT group first gained access to the victim’s Pulse Secure VPN and then obtained the credentials necessary to move over to the target’s SolarWinds Orion server, where it downloaded Supernova.
Secureworks describes Supernova as a Trojanized version of the legitimate dynamic link library used by the SolarWinds Orion network monitoring platform. Researchers spotted hackers using Supernova to conduct reconnaissance on a SolarWinds client’s network, which eventually led to the exfiltration of some credentials.
The multistage attack likely started with the attacker hacking into and taking control of three home routers based in the United States, allowing them to masquerade as employees of the victim who were working remotely, CISA says.
The attacker then used virtual machines to connect to the Pulse Secure VPN using valid account credentials, none of which required multifactor authentication, CISA says. The agency does not know how the attackers obtained the credentials.
“The threat actor then moved laterally to the entity’s SolarWinds Orion appliance and established persistence by using a PowerShell script to decode and install Supernova,” CISA says.
The attacker, possibly due to an error by the victim, was able to access and remove credentials from the network.
“The threat actor used Export-PfxCertificate to gather cached credentials used by the SolarWinds appliance server and network monitoring,” CISA says. “The private key certificate must have been marked as exportable; either the threat actor was able to change or bypass that property prior, or the affected entity mistakenly marked the certificate exportable.”
The attacker removed additional credentials when they placed a copy of the ingress transfer tool procdump.exe, disguised as the entity’s logging infrastructure, on the SolarWinds Orion server. The attacker used this tool with its system-level access to dump Local Security Authority Subsystem Service memory, which contained the credentials.
These were then moved to a directory and removed from the system using a GET request.
The attacker then covered its tracks by deleting the internet information service logs, CISA reports.
“CISA believes the logs would have likely revealed the threat actor exploited CVE-2020-10148, an authentication bypass vulnerability in SolarWinds Orion application programming interface that allows a remote attacker to execute API commands,” CISA says.
The attacker likely exploited CVE-2020-10148, CISA says, because the credentials used by the attacker would not have allowed access to the SolarWinds Orion server.
CISA believes the threat actor leveraged that flaw to bypass the authentication to the SolarWinds appliance and then used SolarWinds’ Orion API ExecuteExternalProgram to run commands with the same privileges (system level) the SolarWinds appliance was running, the alert says.
Secureworks says Bronze Spiral used the same technique in a November 2020 attack that included exploiting CVE-2020-10148 and then again in December 2020 after SolarWinds reported that a malicious actor had used the vulnerability to gain access and deploy Supernova on another victim.