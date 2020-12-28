With one of the biggest cyberattacks of all time in the US, Hacker News tells us today that this security breach could be even bigger than we suspected. Hackers likely exploited another flaw in SolarWinds’ Orion software to install malware: Supernova.

Supernova malware installed because of a security breach

Microsoft is the origin of this second discovery. In a recently published blog post, the American company said it found that a second group of hackers had targeted SolarWinds’ Orion platform. A revelation that comes a little closer to the Austin, Texas-based company already at the origin of a major security breach.

The Redmond company states, “Investigation of the entire compromised SolarWinds file has revealed additional malware that is also affecting the SolarWinds Orion product, but was determined to be unlikely to be related to this attack and by used by another actor ”.

This is the Supernova malware in question. According to CERT (Computer Emergency Response Team), “The SolarWinds Orion API, which is used to interface with all other Orion systems monitoring and management products, has a vulnerability (CVE-2020-10148) that is likely to be hacked enabled unauthenticated commands to be executed ”. In this way, hackers managed to integrate the Supernova malware into the SolarWinds software.

The execution and flexibility of this malware can make it devastating

The researchers state that Orion’s API authentication can be bypassed by including certain parameters in the Request.PathInfo portion of a Uniform Resource Identifier (URI) request to the API. For input, hackers simply enter a PathInfo parameter from WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n for a request to a SolarWinds Orion server. The “SkipAuthorization” flag can be activated with such combinations. As you can see, this way hackers can make an API request without having to authenticate.

Researchers at Palo Alto School 42 believe that: “Supernova is new and powerful because of its execution in memory, the refinement of its parameters, its execution, and its flexibility through the implementation of a Full Programmatic API”. Enough to add work to CISA (Cybersecurity and Infrastructure Security Agency) and the FBI, the two agencies responsible for the investigation. You’re still trying to understand the extent of the damage.

To this day, we know that this hack dates back to October 2019. Hackers were first incorporated into Orion software and made innocuous changes. At that point, they made malicious changes and introduced various malware, including Supernova. We also know that state secrets were likely stolen because government agencies were affected. Among them are the US Treasury Department, the National Institutes of Health (NIH) and the Cybersecurity and Infrastructure Agency (CISA).