In the period from marz to june 2020, a so far unidentified criminal hacker group shouted the malware "sunburst" on systems of up to 18.000 users of network management platform solar winds orion. Communicated over a backdoor (s) sunburst with the attackers. These are supposed to have us governments in sight and be responsible for a short break in the security software company fireeye.
The code analyzes tailored by the incident now asked a second backdoor that security researchers as "supernova" describe. Probably the most interesting thing about the find: the researchers are largely agreed that behind supernova is a second, completely independent group. As with sunburst you also see professionals at the factory. However, from the previously published analyzes does not emphasize whether and to what extent the code was used at all in the wild.
Our site had already reported several times around sunburst:
- Cyber attacks via solarwinds software (developments in overview)
- Fireeye, microsoft godaddy build "killswitch" for sunburst malware
- Trump plays danger and takes russians in protection
Modified legitimate dll for solar winds orion
Among other things, microsoft addresses the newly discovered backdoor in the last section of a blog entry to the sunburst schadcode (from microsoft "solorigate" called). It has been found that these were very likely to do nothing with the current compromise and be used by other actors, it is called there.
The backdoor code hide in a modified variant of app_web_logoimagehandler.Ashx.B6031896.Dll, legitimate .Net program library of solarwinds. This serves as the name implies, actually the purpose of http-get requests of other orion software components with the backing of images (or. Application logos) to react. But the backdoor code allows a misleading such that attackers send a c # script to a vulnerable server, it "on-the-fly" compile and then could bring to the execution. To do this, the modified variant of the dll must be in the folder according to microsoft inetpub \ solarwinds \ bin \ an existing orion installation lie.
Why such dll modification could remain unnoticed unnoticed, the company is explained in its own supernova analysis: the changed variant will add a try-catch block to the already existing (legitimate) method that opens the get-request. Only if this code block has four determined by the attacker (clazz, method, args, codes) by the attacker, he leads to a (newly added) polluting method dynamicrun () um, which compiles and exports the harmful code and exports. Otherwise, the legitimate functions of the dll are executed quite normal.
The modified dll contains a try-catch block (marked here), which calls the remote code execution method under certain prerequisites.
Microsoft’s defender recognizes the compromised dll as trojan: msil / solorigate.G!Dha. Further details also provides a third supernova analysis of palo alto networks.
Similarities, differences and many open questions
Which specified in a virustotal analysis for modified dll "creation time" refers to the end of marz 2020 – a parallel to the attacks with sunburst. According to the news agency reuters, however, is unclear whether supernova was used in contrast to sunburst as an attack tool for example against solarwinds customers. On a rough difference between the shadlingen also microsoft points out: during sunburst, a valid digital signature designed by solarwind’s digital signature has been used, the wire drawers behind supernova do not seem to have been owned by such – the dll is unsigned.
If one believes that the backdoor finds are not related to each other, this results in the important realization that apparently more than just a group of cybergangstern software of solarwinds as a suitable incidence gate on worthwhile attack goals. In a statement of opposite reuters, a solarwinds spokesman did not go directly to supernova. He just said that one will continue to work together with experts and customers to exchange information and better understand the forelament.