CISA Discovers Advanced Malware in VPN Device
The Cybersecurity and Infrastructure Security Agency said it has detected malware from an advanced persistent threat that had been compromising an entity’s enterprise network since at least March 2020.
Dubbed Supernova, the web shell malware exploited vulnerabilities in a Pulse Secure virtual private network device before moving laterally to the affected organization’s SolarWinds Orion server, CISA said Thursday.
Supernova maliciously injected code into a web portal to perform reconnaissance, conduct domain mapping and steal sensitive information and credentials.
For at least 11 months, the threat actor used U.S.-based internet protocol addresses to impersonate teleworking employees, CISA said.
The threat actor then exploited several user accounts without multi-factor authentication to breach the VPN device. The government has not yet determined how the hackers obtained the initial credentials.
CISA believes that the advanced persistent threat is separate from the one linked to the previous SolarWinds hack that affected at least nine federal agencies and hundreds of American companies.
The threat actors behind the SolarWinds hack were able to gain access to multiple public, private and government sector entities by exploiting trojanized updates to the Orion software.
Since the SolarWinds Orion hack was discovered in December, the Department of Homeland Security has introduced a new tool designed to detect post-threat compromise activity resulting from the attack.
CISA advised organizations that find Supernova on their SolarWinds installations to deal with the matter separately.
In its own advisory, SolarWinds said Supernova is not embedded within Orion as a supply chain attack and is instead placed directly on a system hosting the platform.
Tags: advanced persistent threat CISA cybersecurity DHS Orion Pulse Secure SolarWinds Supernova